Discussion 1


Introduction to Risk

Individuals, businesses and governments face risk daily. Risk is manifested in different forms and may be described as business, non-business, or financial. Irrespective of the type of risk, it’s important to remember the basic goals of security – to maintain confidentiality and integrity, while also ensuring the availability of data and systems. Organizations and governments usually employ different approaches to mitigating risks, but with a good understanding and consideration for risk elements including (i) vulnerabilities, (ii) threats & threat agents, (iii) impact, and (iv) likelihood. Other considerations include an organization or government’s appetite for risk, business goals, as well as internal and external drivers (laws, regulations, and standards). Proven strategies to deal with risk employ an enterprise risk management approach, and also rely on risk management frameworks including but not limited to: NIST’s risk management framework, ISACA’s risk IT framework, and COBIT 2019.

Don't use plagiarized sources. Get Your Custom Essay on
Discussion 1
Just from $13/Page
Order Essay


Follow these directions to complete the assignment:

Identify a cybersecurity-related attack:

Using scholarly sources and/or the web, research, identify, and share an example of a cybersecurity-related attack. Examples may include cyber warfare such as “Stuxnet” or the “Equifax” data breach. Feel free to use any of these. Once you’ve decided on the example you will share, “claim” it by posting it to the discussion. Do not post about the same type of attack as your classmates.

Create your post:

In a discussion post of approximately 600 to 800 words, explain risk and risk elements related to this attack, including a synopsis, attack type, characteristics, vulnerabilities, threats & threat agents, impact, and likelihood of this attack. You may need to make some assumptions as you write about the risk elements. Clearly state any assumptions that you make. Do not offer a potential solution to the attack;


Action Items

  1. Complete all of the reading for this module.
  2. Claim the cybersecurity-related attack you intend to discuss by posting it to the discussion.
  3. Create your discussion post according to the directions in the overview.


Risk Concepts

In this chapter, you will:

•  Review basic security concepts

•  Learn about standards, frameworks, and best practices related to risk identification, assessment, and evaluation

•  Learn to describe how business goals, information criteria, and organizational structures affect risk

•  Determine how information systems architecture presents risk to the organization

•  Learn about risk ownership and awareness

•  Recognize legal, regulatory, and contractual requirements for risk management within the organization

This chapter will review a large portion of Certified in Risk and Information Systems Control (CRISC) Domain 1: Risk Identification with coverage of fundamental information security and risk management concepts. We’ll cover a good deal of the terminology associated with risk management and many of the core concepts you’ll need to be familiar with for the exam, but we will go into more depth on many of these concepts in later chapters.

The CRISC exam topics that we cover in this chapter are as follows and include the following domain objectives and knowledge statements:

•  1.6 Identify risk appetite and tolerance defined by senior leadership and key stakeholders to ensure alignment with business objectives

•  1.7 Collaborate in the development of a risk awareness program, and conduct training to ensure that stakeholders understand risk and to promote a risk-aware culture

NOTE    Throughout the book, the task and knowledge statements are listed in the order they are described in the CRISC Job Practice areas, not necessarily how they are presented in the chapter.

Basic Security Concepts

To successfully sit for the CRISC exam, you should be familiar with some basic security concepts. You can’t be expected to know how to manage risk in a security environment if you don’t understand the basics of security. We’ll assume you have some level of experience already as a security professional since risk management is a significant portion of (and a logical career progression from) the information security profession. You may also have had some level of experience in specific risk management processes during your career. As such, we won’t go into detail on the basic security concepts in the upcoming sections; this chapter will just serve as a quick refresher to remind you of certain security concepts.

The CRISC exam is not a technical exam; it is more of a process- and management-oriented exam, so we won’t delve into firewall configuration rules, protocol filtering, encryption, or any of the other fun stuff that security professionals do. We will, however, discuss a couple of other security concepts that are important to know for the exam since risk affects all of these concepts in different ways.

Goals of Information Security

Traditional security doctrine, as well as fundamental security knowledge you may learn from various training courses and on-the-job experience over the years, teaches that there are three fundamental security goals. These goals are what we’re striving for as security professionals; they are confidentiality, integrity, and availability. You’ll sometimes see these three terms strung together as an acronym, such as the CIA triad or, occasionally, as the AIC triad, depending upon the different security literature you read. In any event, these three goals are what you want to achieve for all of your information systems and data. They are also characteristics that you want all of your systems, processes, procedures, methods, and technologies to have. We will discuss these three items in the next few sections and why they are important to the security profession. We’ll also briefly describe some of the risks associated with these three goals.


The goal of confidentiality is to keep information systems and data from being accessed by people who do not have the authorization, need-to-know, or security clearance to access that information. In other words, confidentiality means that only authorized individuals and entities should be able to access information and systems. Confidentiality can be achieved through a number of security protection mechanisms, such as rights, privileges, permissions, encryption, authentication, and other access controls. If the confidentiality of data or information systems is breached, you get the opposite of confidentiality, which is unauthorized disclosure. Unauthorized disclosure is a risk to data and information systems and one that we as security professionals struggle hard to protect against.


Integrity is the characteristic of data that means the data has not been subject to unauthorized modification or alteration. In other words, it means data is left in the same state as it was when it was stored or transmitted. So, when it is accessed again or received, it should be identical to the data that was originally stored or transmitted. Integrity is achieved in several ways, by using checksums, message digests, and other verification methods. Data alteration is the opposite of integrity, particularly when the modification has not been authorized by the data owner. Data modification or alteration can happen accidentally, such as when it may be inadvertently changed because of human error or faulty transmission media. It can also happen intentionally (which is usually malicious in nature when this modification is unauthorized) by direct interaction with data during storage or transmission, such as during an attack, for example. This risk to data affects whether the data can be trusted as authentic or true, whether it can be read as intended, and whether it is corrupt.


Availability is when data and systems are accessible to authorized users at any time or under any circumstances. Even if data is kept confidential and its integrity remains intact, that does you no good if you can’t access it when you need it to perform critical business functions. Availability ensures you have this data (and the information systems that process it) at your fingertips. Just as confidentiality and integrity have their opposites, data destruction or denial of service is the opposite of availability. This risk to your information systems could prevent authorized consumers of that data or users of that information system from performing their jobs, thus severely impacting your business operations. 
Figure 1-1
 shows the relationships of the three information security goals to one another.

Figure 1-1    The three goals of information security

EXAM TIP    You will need to understand the definitions of the goals of information security well for the exam. Almost everything in information risk management supports these three goals, either directly or indirectly.

Supporting Security Goals

Popular security theory sets forth the three overarching security goals but also provides for auxiliary elements that support these goals in various ways. These are concepts that, both individually and combined, help you as a security professional to maintain data confidentiality, integrity, and availability, as well as protect your systems from unauthorized use or misuse. We’ll discuss these different security elements and other concepts, as well as how they support the three primary goals of security, in the next few sections.

Access Control

As a security professional, you probably already know that a security control is a security measure or protection applied to data, systems, people, facilities, and other resources to protect them from adverse events. Security controls can be broken down and categorized in several ways. Access controls directly support the confidentiality and integrity goals of security and indirectly support the goal of availability. An access control essentially means that you will proactively ensure that only authorized personnel are able to access data or the information systems that process that data. Access controls ensure that only authorized personnel can read, write to, modify, add to, or delete data. They also ensure that only the same authorized personnel can access the different information systems and equipment used to store, process, transmit, and receive sensitive data.

There are several different types of access controls, including identification and authentication methods, encryption, object permissions, and so on. Remember that access controls can be administrative, technical, or physical in nature. Administrative controls are those that are implemented as policies, procedures, rules and regulations, and other types of directives or governance. For example, personnel policies are usually administrative access controls. Technical controls are those that are most often associated with security professionals, such as firewalls, proxy servers, virtual private network (VPN) concentrators, encryption techniques, file and folder permissions, and so on. Physical controls are those used to protect people, equipment, and facilities. Examples of physical controls include fences, closed-circuit television cameras, guards, gates, and restricted areas.

In addition to classifying controls in terms of administrative, technical, and physical, you can also classify access controls in terms of their functions. These functions include preventative controls, detective controls, corrective or remedial controls, deterrent controls, and compensating controls. All of the different controls can be classified as one or more of these different types of functions, depending upon the context and the circumstances in which they are being used.

Data Sensitivity and Classification

Asset is a general, all-encompassing term that could include anything of value to an organization. The term asset can be applied to data, systems, capabilities, people, equipment, facilities, processes, proprietary methods, and so on; it is anything the organization values and desires to protect. Organizations normally determine how important their assets are to them and how much protection should be afforded to those assets. For example, intellectual property is an extremely valuable asset to the organization and is normally well protected. This is really the basic fundamental concept of risk management—how much security or protection a particular system or piece of data requires, based upon how likely it is that something bad will happen to it, balanced with what the organization can really afford to spend on the protection for that asset. To make reasonable decisions on how much security an asset needs, the organization has to decide how much the asset is worth to it. We’ll discuss worth in terms of dollars a bit later in the chapter, but for now let’s look at it from a perspective of asset sensitivity. In terms of sensitivity, you’ll usually see the term data sensitivity in particular, but you could also broadly consider sensitivity for any asset in an organization.

Data (or other asset) sensitivity refers to how much protection the organization feels a particular system or piece of data requires, based upon its value to the organization and the impact if it were lost, stolen, or destroyed. For example, information published on the organization’s public website or in the company newsletter is public knowledge and is usually easily retrievable if, for some reason, the hard disk containing that data fails or is erased. Since the data is public, you may not consider that data to be very sensitive in nature and require little protection for it. On the other hand, customer order data is extremely important to the organization simply because its business operations depend upon that data in order to function and turn a profit. So, it makes reasonable sense that the organization would spend a little bit more time, money, and effort in protecting that particular data. Therefore, its sensitivity, or classification level, would be considered somewhat higher than public data. Generally, the higher the sensitivity of the data, the more protection it is given.

In basic security classes, you typically learn about the different classifications of data found in both commercial organizations and government ones. In commercial organizations, typical data sensitivity labels include Private, Company Sensitive, Proprietary, and so on. In the U.S. government, data sensitivity levels include Confidential, Secret, and Top Secret, and they are classified based upon the level of damage to the security of the United States that could be incurred if data at these various classification levels were disclosed or lost. Remember that data sensitivity is driven by the value of the data to the organization and by the impact if it is lost, stolen, or destroyed, and it is balanced by the commitment of resources the organization is willing to provide to protect that data. Data sensitivity and classification policies specify the different formal levels of sensitivity in the organization and what those levels require in terms of protection.

Identification and Authentication

Identification and authentication are often misunderstood terms. They are related, to be sure, but they are not the same thing and really shouldn’t be used interchangeably by a knowledgeable security professional. Identification refers to the act of an individual or entity presenting valid credentials to a security system in order to assert that they are a specific entity. When you enter a username or password into a system, for example, or insert a debit card into an automated teller machine and enter a personal identification number (PIN), you are identifying yourself. Authentication is the second part of that process, where your identity is verified with a centralized database containing your authentication credentials. If the credentials you have presented match those in the authentication database, you are authenticated and allowed access to the network or resource. If they do not match, you are not authenticated and are denied access.

There are several methods of identification and authentication, including single factor (such as username and password, for example) and multifactor, which consists of two or more of the following: something you know (knowledge factor), something you have (possession factor), or something you are (biometric or inherence factor). Authentication also uses a wide variety of methods and technologies, such as Kerberos and 802.1X, for example.


Authentication to a resource doesn’t automatically guarantee you have full, unrestricted access to a resource. Once you are authenticated, the system or resource defines what actions you are authorized to take on a resource and how you are allowed to interact with that resource. Authorization is what happens once you’ve successfully identified yourself and been authenticated to the network. Authorization dictates what you can or can’t do on the network, in a system, or with a resource. This is usually where permissions, rights, and privileges come in. In keeping with the concept of least privilege, users should be authorized to perform only the minimum actions they need in order to fulfill their position responsibilities. Authorization has a few different components. First, there is need to know. This means there must be a valid reason or need for an individual to access a resource, and only to a certain degree. Second, an individual may have to be trusted, or cleared, to access a resource. This may be accomplished through a security clearance process or nondisclosure agreement, for example.

EXAM TIP    Understand the differences between identification, authentication, and authorization. Remember that identification is simply presenting credentials, while authentication is verifying them. Authorization dictates what actions an individual can take on a system.


Accountability means that a person is going to be held responsible for their actions on a system or with regard to their interaction with data. Accountability is essentially the traceability of a particular action to a particular user. Users must be held responsible for their actions, and there are different ways to do this; it is usually assured through auditing. First, there must be a unique identifier that is tied only to a particular user. This way, the identity of the user who performs an action or accesses a resource can be positively established. Second, auditing must be properly configured and implemented on the system or resource. What you are auditing is a user’s actions on a system or interactions with a resource. For example, if a user named Sam deletes a file on a network share, you want to be able to positively identify which user performed that action, as well as the circumstances surrounding the action (such as the time, date, from which workstation, and so on). This can be accomplished only if you have auditing configured correctly and you take the time to review the audit logs to establish accountability.

NOTE    Although related, accountability is not the same thing as auditing. Accountability uses auditing as just one method to ensure that the actions of users can be traced to them and that they are held responsible for those actions. Other methods, such as nonrepudiation, are used as well.


Nonrepudiation is closely related to accountability. Nonrepudiation ensures that the user cannot deny that they took an action simply because the system is set up such that no one else could have performed the action. The classic example of nonrepudiation is given as the proper use of public key cryptography. If a user sends an e-mail that is digitally signed using their private key, then they cannot later deny that they sent the e-mail, since only they are supposed to have access to the private key. In this case, the user can be held accountable for sending the e-mail, and nonrepudiation is assured.

Figure 1-2
 summarizes the relationships between access controls, the supporting elements of information security, and the three information security goals. Note that there is no hard-and-fast rule about mapping security elements and access controls to security goals; all of these elements and controls can support any one or even more than one goal at a time. For example, encryption, a technical access control, can support both confidentiality and data integrity at the same time.

Figure 1-2    How access controls support security elements and information security goals

NOTE    Although other books may describe the supporting elements of the security goals differently, the basic ones we’ve described here are common and directly support the three goals of confidentiality, integrity, and availability.

Risk Management Concepts

Now that we have framed some of the important information security concepts, such as the security goals and supporting elements, we will explain the basics of how risk is managed with relation to these concepts. As this chapter covers the foundational concepts associated with risk, we’ll cover the different terms you need to know for risk management. Risk management is the overall process of developing a strategy for addressing risk throughout its life cycle and includes several components. These include risk identification, assessment, analysis, evaluation, and response. We’ll talk about each of these different processes later in the chapter, as well as throughout this book. For the exam, you’ll need to know how these basic processes work, and as you proceed through this book, you will learn how to perform each of these risk management steps.

Risk Terms and Definitions

To fully appreciate the overall concepts of risk management and prepare for the exam, you need to be familiar with several key terms and concepts. In the next few sections, we’ll explain several of these key terms and concepts. Understand, however, that risk can be a complex body of knowledge to comprehend, so these are explained only at the basic level during this chapter. We will go far more in-depth on each of these terms and concepts throughout the remainder of this book, including how the terms relate to each other in the overall risk management process.


Vulnerabilities are weaknesses in a system, operation, or facility that would make these resources susceptible to being exploited by a threat. Vulnerabilities can exist in the way a system processes, transmits, or stores data; they can also exist in the technologies that make up a system or even in its design. Even people can have vulnerabilities; one such weakness that affects the people in an organization is complacency. This weakness might prevent them from always following security practices, for example, and allow a security threat to take advantage of that weakness. Facility vulnerabilities could include a lack of physical security controls, a “blind spot” near a doorway to a secure area where an intruder may hide, and so on. One of the first steps in managing risk is to identify all of the vulnerabilities that exist within a system or facility so they can be adequately addressed. This is usually accomplished by conducting a vulnerability assessment, which attempts to thoroughly identify any and all vulnerabilities inherent to a system and its people, operations, policies, procedures, and facilities. We’ll discuss vulnerability assessments more in 

Chapter 2

, but for now keep in mind that while a vulnerability assessment can be conducted as a stand-alone type of assessment, it really doesn’t have as much value unless it is part of a larger risk assessment, where it can be brought into context with other important elements of risk.

Threats and Threat Agents

A threat is a danger of harm that can be enacted on an asset. The asset has to be in danger from this threat and, theoretically, if there is no danger, then there is no threat. Threats exploit specific vulnerabilities. A threat must have a matching weakness in a system that it can exploit, or act upon, if it is to be an effective threat. An example of a threat and vulnerability pairing might be the use of a weak encryption algorithm in a system (a vulnerability) and a cryptographic attack against that algorithm (the threat). If the system used a much stronger algorithm, then the vulnerability would not exist, and that particular threat would not be a danger or risk to the system for that specific instance. A threat agent is something that causes or initiates a threat against a vulnerability. In the example given previously, a hacker or malicious actor would be the threat agent that exercises the cryptographic attack (threat) against the weak algorithm (vulnerability). 
Table 1-1
 gives some other examples of threats, vulnerabilities, and threat agents to further emphasize these concepts.

Table 1-1    Examples of Threats, Vulnerabilities, and Threat Agents

As you can see from 

Table 1-1

, a threat is only the presence of something that can exploit a vulnerability; the vulnerability can be a concrete weakness or even the absence of a security control within the system (such as a lack of backup power or data destruction policy, for example) that creates a weakness or vulnerability. The presence of both of these conditions at the same time creates the potential for danger or harm to a system, its data, the people, or the facilities. This potential danger is defined as risk, but we will present a more comprehensive definition of that term in the next few sections. From the table you can also see that both vulnerabilities and threats directly affect the three primary goals of security (confidentiality, integrity, and availability). Both threats and vulnerabilities can also be different combinations of administrative, technical, physical, and operational in nature.

Threat assessments are often conducted to identify matching threat and vulnerability pairings, as well as the threat agents that could exercise a threat. Like a vulnerability assessment, the assessment does not have to necessarily be part of but can definitely support risk management. Threat assessments are conducted using a wide variety of data, including historical trends, statistical analysis, industry data, and other information from sources including the government, vendors, and even the organization.


Impact is what happens to the organization or to the business when a weakness or vulnerability is exploited by a threat. Impact can be expressed as a level of damage to an asset or the organization itself. It can be seen as how the business or operations of an organization are affected by a threat that exercises a vulnerability. Impact can also be cumulative; several smaller impacts that affect different systems within an organization can be additive and create a much larger impact on an organization than any one of them would. Impact can be expressed in terms of revenue lost based upon a complete or partial loss of an asset or process. It can also be expressed in terms of other concrete numbers or, even in subjective terms, based upon how serious the organization determines the effect of the event to be.


Likelihood is the probability of a threat exploiting a particular vulnerability. During threat and vulnerability assessment processes, the organization will normally determine the seriousness of a threat in terms of its impact if it occurs, based upon a certain level of weakness in the system. The organization also routinely determines the likelihood of these threats, given existing security controls and protections for an asset in the organization. For example, the likelihood of an intruder that breaks into an extremely secure facility that has gates, guards, and guns surrounding it, as well as high security fences, might be extremely low. A different facility without all of these security protections might incur a much higher likelihood of the same threat. In addition to security controls protecting an asset, other environmental factors might come into play, such as the facility residing in a “bad” neighborhood, distance from police and other emergency services, motivation of the threat agent, and so on. All of these different factors, which are really unique to the operational environment and asset in question, should be considered when determining the likelihood that a threat could occur. As with impact, likelihood could be measured in statistical percentages or subjective terms.


The four elements just described—vulnerabilities, threats and threat agents, impact, and likelihood—combine to make up the fundamental parts of risk. Risk is sometimes a difficult concept to get your arms around because it can be explained with different definitions, especially within the security community. On one hand, risk is a relative level of danger or harm to an asset. It’s also sometimes defined as the likelihood of a negative event happening to an organization and impacting its business operations. Another way of saying it might be the likelihood of a threat exploiting a vulnerability, causing an impact to an asset.

In any event, risk is a combination of these four factors, and it is a value that can be relatively measured using these factors. For example, impact can be expressed in lost revenue (dollars), lost productivity (labor hours), or even loss of market share (a drop in sales). Likelihood can be measured as a statistical probability (a percentage, for example) or even a subjective measurement, such as high, medium, or low. Threats and vulnerabilities can be a little bit more difficult to assign concrete values to; usually these values are also subjective, such as high, medium, or low designations. Later in this chapter, we’ll discuss how these values can be measured and risk can be expressed, using either quantitative (expressed as numbers) or qualitative (expressed using subjective values) methods. 
Figure 1-3
 attempts to bring together all of these factors to illustrate their relationships, helping you to better grasp the concept of risk.

Figure 1-3    Threats, vulnerabilities, likelihood, and impact

Two terms associated with risk that we will briefly describe here include inherent risk and residual risk. Inherent risk is associated with any endeavor, including risk associated with technologies, business processes, markets, and so on. All endeavors that businesses embark on contain some inherent risk that may be both unique to the particular endeavor and common to a technology or process. Residual risk, which we’ll discuss in depth later in the book, is the risk that remains after we have taken steps to respond to risk, either by reducing it or by mitigating it. It is a commonly accepted fact within the risk management community that risk can never be entirely eliminated; it can only be reduced to a manageable or acceptable level. Residual risk is normally the amount of risk left over after you’ve taken these steps, which must then be accepted. We’ll discuss more about risk response in 

Chapter 5


It’s worth mentioning here that organizations typically maintain data associated with risk, including identified threats and vulnerabilities, as well as their likelihood and impact determinations, in what is known as an enterprise risk management (ERM) program. In addition to being a system that records and assists in analyzing risk management data, ERM is also the formal management program, including processes and methodologies, that the organization uses to manage risk throughout its entire life cycle.

EXAM TIP    Understand the differences and relationships between the four risk elements of threats, vulnerabilities, likelihood, and impact. Threats exploit vulnerabilities, and the level of risk is based upon the likelihood of the threat exploiting a given vulnerability and the impact to the system if it occurs.

Risk Culture, Appetite, and Tolerance

An organization normally has a risk culture, which is essentially how the organization as an entity feels about and deals with risk. This culture is developed from several sources. First, it can come from the organization’s leadership, based upon their business and management philosophies, attitudes, education, and experience. It can also come from the organization’s governance. Remember that governance is essentially the rules and regulations imposed either by external entities (in the form of laws, for example) or internally by organization.

In any case, the culture of the organization really defines how the organization feels about risk and how it treats risk over time. As part of the organization’s risk culture, there are its risk appetite and risk tolerance. These are different terms you also need to know to understand risk. Risk appetite is, in effect, how much risk an organization is willing to deal with in any given endeavor. This is the general level of risk that an organization is willing to accept in the course of its business. An organization’s risk appetite is driven by the corporate risk culture, in other words, by the environment the organization exists in (market, regulation, and other external factors).

Risk tolerance, on the other hand, is the acceptable level of deviation in risk for a particular endeavor or business pursuit. Risk tolerance is how much variation from the expected level of risk the organization is willing to put up with. There’s a certain amount of risk in every business enterprise or pursuit; however, the organization may not be able or willing to tolerate large deviations from what it considers is its acceptable level of risk on an endeavor.

EXAM TIP    Know the differences between risk appetite and risk tolerance; risk appetite involves how much risk the organization is willing to endure, and risk tolerance is how much variation from that amount is acceptable to the business for a particular venture. Risk culture drives both of these factors.

Standards, Frameworks, and Best Practices

Managing risk is not an ad hoc process. It can be a complex effort and involves establishing a formal program with responsible people leading it. It requires developing procedures and processes that are defined, repeatable, and defendable. Fortunately, you don’t have to reinvent the wheel; most of this work has already been done for you in the form of established frameworks, methods, standards, and practices. One of the first things you’ll want to do when establishing a risk program is to understand what type of framework, processes, standards, and practices you will use since there is a variety to choose from. You must try to use the one that fits your organization the best, and you can’t do that unless you have at least a basic understanding of the more defined, standardized ones used in the industry. Let’s take a moment and discuss the difference between frameworks, standards, and practices.

A framework is a generally overarching methodology for a set of activities or processes. It may not get into the detailed processes and procedures; instead, it provides for a 500-foot view of the general direction and steps used to build a more detailed program or process. A framework is used as an overall architecture for a larger effort. A framework has characteristics that include defined steps and repeatability and can be tailored based upon the organization’s needs. In terms of a risk management framework, you may have a set of general steps defining how to approach risk management, including listing the processes and activities necessary to build such a program or effort. You would then break down these larger steps into specific supporting procedures for this effort based on the needs of your organization and based on standards (described in a moment). Frameworks are typically selected and adopted at the strategic level of corporate management and governance.

A standard is a mandatory set of procedures or processes used by the organization, and standards usually fit into an overall framework. Standards often define more detailed processes or activities used to perform a specific set of tasks. Standards are used for compliance reasons and made mandatory by an organization or its governance. The National Institute for Standards and Technology (NIST) standards are mandatory for use by the U.S. federal government, for instance, but are published as an option for private organizations and industries to adopt if they so choose. If an organization adopts the NIST standards for risk management, for example, then the organization may make them mandatory for use by its personnel. Then all processes and activities for a given effort within the organization would have to use and meet those standards. Some standards define the level of depth or implementation of a security control or measure. The Federal Information Processing Standards (FIPS) for cryptography and encryption are an example of this; they set forth the different levels of encryption strength for various cryptography applications that may be required in certain circumstances. So, if you create security policies and procedures for implementing cryptography within the organization, the FIPS standard could tell you to what level those policies and procedures must be implemented.

A practice is a normalized process that has been tried and proven as generally acceptable within a larger community of practice. Practices could also be developed by a standards organization or a recognized authority regarding a particular subject or particular process. Professional industry organizations or vendors often develop practices documents. You might also see “best practices” promulgated by various industries or organizations, for example. Practices are not usually mandatory but could be made mandatory by the corporate management or other governance if they were so inclined.

The next few sections give more detailed examples of some of the formal frameworks and standards you should be familiar with for the exam and in real life as a risk management professional. We recommend you pay particular attention to the ones developed and published by ISACA; these are listed in the exam task and knowledge statements and will likely be present in some form on the exam. Of course, in this book, we will give only a brief overview of each, so you should take the time to review the actual standards and frameworks in-depth before you sit the exam.

NIST Risk Management Framework

The NIST Risk Management Framework (RMF) is a six-step methodology that provides for risk management all the way through the information systems life cycle. The steps for the RMF are briefly described in the following sections.

Step 1: Categorize Information Systems    This step involves inventorying the types of information on target systems and assigning categorization levels to that information based upon the level of impact based upon if the security goals of confidentiality, integrity, and availability were affected or compromised for that particular information on the system. This step uses subjective values of high, medium, and low to assign values to each of the three goals for a particular type of information. Types of information processed on the system could include business-sensitive information, financial information, protected health information, and so on. FIPS 199, as well as NIST Special Publication 800-60, provides detailed guidance on categorizing information systems.

Step 2: Select Security Controls    Based upon these individual values, as well as an aggregate of them, step 2 involves choosing the applicable security controls you would assign to each information system. This step provides baselines of security controls based upon the high, medium, and low values assigned during step 1. If the aggregate value of information or a system has been rated as high, for example, then the high baseline of security controls is employed for that system. Once the security control baseline has been established, the organization has the latitude and flexibility to add or subtract security controls from the baseline as it sees fit based upon different factors including the applicability of some controls, the environment the system operates within, and so on. You can find the selected controls in the supporting NIST Special Publication 800-53, revision 4, which contains a catalog of all of the NIST controls.

Step 3: Implement Security Controls    In this step, the selected controls are applied to the information systems, and data is processed on those systems. This in itself is a large process that can cover a good deal of the life cycle of the system in question, and it may take significant time and resources. In this step, the organization is essentially securing the information system against any validated threats and protecting identified vulnerabilities.

Step 4: Assess Security Controls    This step is where a lot of security professionals who manage certification and accreditation activities or perform risk assessments come into the picture. During this step, the controls that the organization selects for the information system are formally assessed, verifying that they implement them correctly and validating that they perform as they were designed. They are assessed based upon their effectiveness in protecting against the threats they were implemented to protect against. During this step, the system is assessed in its current state, with all existing controls and mitigations in place. Based upon the assessment, there may be recommendations for further controls and mitigations, as well as alterations to existing security posture for the system. In this step, the level of risk to the system and its data is normally analyzed and determined.

Step 5: Authorize Information Systems    Step 5 involves the decision from the entity with the power to authorize a system to be implemented and put into operation. This decision is based upon various factors, including the level of risk assessed during step 4, the risk appetite the organization has settled on, and the tolerance for risk that the organization is willing to accept. The decision to authorize a system for use may also come with caveats, including conditional authorization based upon the continued mitigation and reduction of risk by the system or data owner. This authorization is a formal authority for the system to operate, made by someone with the legal authority to make that decision. It is typically in writing and valid for only a specified period of time, after which the system must be reassessed for risk and control compliance.

Step 6: Monitor Security Controls    Continuous monitoring of security controls defines step 6 in the RMF; just because an authorization decision is rendered doesn’t mean that the system will now be operated forever without continually monitoring its security posture for new or increased risks. Existing controls will be monitored for continued compliance and effectiveness against identified threats, new risks will be occasionally discovered for the system as new threats and vulnerabilities are identified, and the system will have to be reauthorized after a certain period of time. Note that the RMF is a cyclical process; all these steps will be re-accomplished for each system at various times over the system life cycle. 
Figure 1-4
 summarizes and illustrates the NIST Risk Management Framework.

Figure 1-4    The NIST Risk Management Framework (courtesy of NIST, from Special Publication 800-53, revision 4)

As you can see from 

Figure 1-4

, each step of the RMF has associated NIST publications that provide guidance on performing that particular step. Additionally, however, there are also NIST publications that help you manage the overall risk process within the organization. These publications support the RMF by providing more detail on processes and activities, such as managing risk in the organization, implementing the RMF, and even performing risk analysis. The three primary standards that support the RMF are:

•  SP 800-30, Guide for Conducting Risk Assessments

•  SP-800-37, Guide for Applying the Risk Management Framework to Federal Information Systems

•  SP-800-39, Managing Information Security Risk

Keep in mind that there are other standards, however, that support the individual steps of the RMF. These three provide the overall guidance and detail concerning how to implement the RMF’s processes. 

Appendix A

 goes into detail on decomposing the different steps and associated publications with the NIST RMF, so see that part of the book for a complete breakdown of the framework.


Control Objectives for Information and Related Technology (COBIT) is a framework developed by ISACA; it covers several key areas in business governance and IT enterprise management. COBIT covers key areas in auditing, compliance, information assurance, IT operations, and security risk management. This framework has been around for several years and through several iterations; COBIT 5 integrates several other frameworks developed by ISACA into a single unified framework, including the Risk IT, Value (Val) IT, and the IT Assurance Framework (ITAF). It also provides for easy integration of other popular frameworks and standards, including The Open Group Architecture Forum (TOGAF), the Project Management Body of Knowledge (PMBOK), the Information Technology Infrastructure Library (ITIL), Projects In Controlled Environments 2 (PRINCE2), the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and the many International Organization for Standardization (ISO) standards. This interoperability enables new users of COBIT to leverage any of these other standards they have already been using in their adoption of COBIT.

COBIT combines the best of tried-and-true standards into its fold; it is compatible with the principles of ISO/IEC 38500:2008, Corporate Governance of Information Technology, for example, and provides strategy and activities supporting those principles. COBIT also is interoperable, to various degrees, with standards such as the ISO/IEC 27000 series of standards and covers similar security and risk management areas under its domains.

COBIT consists of two layers in its model, governance and management, and separates those two layers into five governance processes and four management domains, respectively. These layers further break down into a total of 37 separate processes. 
Table 1-2
 quickly summarizes these layers and domains and the process they decompose into.

Table 1-2    COBIT 5 Layers, Domains, and Processes

Note that while COBIT covers a variety of business and IT processes and areas, those specific to risk management happen at both layers—governance and management—and are tightly integrated with other processes. COBIT in this regard is not a risk management framework per se, as is NIST’s RMF, but offers a broader view of management and governance across all major areas of a business. The next topic we cover, ISACA’s Risk IT Framework, supports COBIT and provides a more granular view of risk management practices and activities.

NOTE    Understand that while COBIT is important to the overall risk discussion, it is not a risk framework itself. It does, however, support management and governance of not only IT but other critical business areas as well. It also leads into a more detailed discussion on the ISACA Risk IT Framework, which does deal with IT risk.

The Risk IT Framework (ISACA)

The Risk IT Framework is a more concise, risk-related set of processes than offered by its related parent framework, COBIT 5. While COBIT covers the “big picture” of governance and management processes that support risk management programs in the organization, the Risk IT Framework gets more into the key processes of risk management, such as risk governance, evaluation, and response. The Risk IT Framework is also a mere summary of ISACA’s The Risk IT Practitioner Guide, available to ISACA members, which is an even more in-depth treatment of the processes and activities encountered during risk management.

The Risk IT Framework comes from traditional risk management principles of various enterprise risk management standards and describes activities and processes thought of as best practices in the industry. It provides a starting place for establishing these processes—sort of a map to navigate from a nonexistent or immature risk management program to a formalized, defined set of processes. The Risk IT Framework focuses more on the business risks of using IT in the organization’s structure and how risk is involved with the gap often found between IT implementation and business goals. 
Table 1-3
 lists the different domains of the Risk IT Framework model, with each of their three major processes.

Table 1-3    The Domains and Processes of ISACA’s Risk IT Framework

Keep in mind that we’ve covered only a few of the risk-related frameworks and standards available in the industry. Also, be aware that we’ve only scratched the surface of these bodies of knowledge in this chapter; a full discussion of every one of them is beyond the scope of this book. You should obtain and review these publications more before you sign up for the exam. There are also many other available frameworks and standards developed and promulgated by other professional organizations, government entities, industries, vendors, and so on. You should be familiar with as many of these as is relevant to your work since they help you turn risk management from “magic” into an art and science for your organization. The frameworks and standards we have described so far are the ones most relevant to your studies for the CRISC exam.

EXAM TIP    While you may not be expected to know the intricate details of each framework described here, it will be helpful to know at least the basic characteristics and descriptions of each. You may be asked to identify a particular characteristic of a framework on the exam.

Business Perspective of IT Risk Management

Up until this point, we have discussed risk strictly from an information security perspective; however, the business aspect of risk management is far more inclusive and broad than the information security focus we have presented so far in this chapter. Although, as an information security professional, you probably tend to look at things through a data protection lens, you must realize that information security risk is really a subset of the risk management considerations that affect the entire organization from a mission or business point of view.

There are several different perspectives of risk in the context of the business environment, most related to legal liability, governance, profitability, market share, and operations sustainability, to name just a few. We could also include risks to intangible elements, such as reputation, consumer confidence, shareholder value, and so on. Opportunity represents potential growth for a business, but opportunity always comes with some level of risk involved. The key to managing this risk is to balance risk of failure with the potential benefits of the business opportunity. Risk tolerance and appetite are factors that figure into this balance for the organization.

In this part of the chapter, we’ll cover the risk of information technology systems from more of an organizational and business perspective. We’ll explain different business and information technology structures and how they affect risk management within the organization. We’ll also cover infrastructure, platforms, and other aspects of technology that can introduce risk into the organization.

CAUTION    Remember that the focus on risk from upper management is usually on business risk, not merely IT risk. IT risk is only a small part of the risks faced by the organization in carrying out its mission and goals. You must sometimes frame risk in terms of the business mission, not only from an information technology perspective.

Business Goals and Objectives

Businesses exist with clear missions, goals, and objectives. The organization is in business for a particular purpose, not merely because people want to come to work every day and socialize. Missions, goals, and objectives directly relate to why the organization is in business in the first place, whether that is to develop and market a product or provide a service. Organizational senior management defines the business’s mission, goals, and objectives, typically on a strategic or long-term level. Senior management also defines the levels of risk tolerance and appetite, based upon factors that include the market space, operational environment, economy, governmental regulation, and so on. These risk levels directly articulate and support the business mission, balancing business opportunity that can generate revenue and move the business forward with potential negative events that may cause the business to fail, or at least have a detrimental impact to the organization.

TIP    Remember that risk appetite and tolerance are directly related to the business mission, although different business pursuits may have varying levels of each. Senior management sets those levels based upon the potential rewards from risky opportunities and the amount of loss the organization could endure if those rewards don’t materialize.

Business Information Criteria

Information is a commodity. Even if the company is in the business of producing goods to bring to market, it still relies on its information and its technology as enablers to produce those goods and deliver them to the market and consumers. Without the ability to generate, process, and otherwise use information, modern businesses would not be able to produce goods or services and compete in market spaces. So, any negative events that affect the organization’s ability to process information directly affect the ability of the organization to survive. Information technology directly supports business goals, objectives, and strategy. All elements of a business endeavor depend upon IT, including the organization’s information or data, its people, its line-of-business applications and systems, and its overall infrastructure, including all of its equipment and processes.

Information technology affects risks to the business enterprise in two ways. First, information technology is used to help protect the enterprise from risk; in other words, it serves to protect the information the business generates and relies on. That’s the purpose of having high-capacity storage, faster networking equipment, redundant systems, and security devices sprinkled throughout the infrastructure. The second way that IT affects risk is that it helps the organization to produce the information needed to fulfill its business goals and objectives in the first place. Without IT, there would be no information processed, no systems designed, and no advanced technologies developed for a business to take to market and compete with. So, IT serves to both protect information and generate it to advance business goals.

The information the business generates and uses has several key characteristics. First, it should be relevant to the processes it supports. It should also be timely; stale information can prevent a business from fulfilling its functions in both the short-term and the long-term. It should also be accurate and complete. This is where information integrity comes in, which is one of the goals of information security. Anything that affects the accuracy and completeness of information is a risk. Information should also be controlled for access. Again, you learned earlier in the chapter that confidentiality is one of the goals of information security; controlled access to information and the systems that process it is a must in order to maintain business function. As you might guess, another characteristic of business information is availability to the users who need it whenever and however they need it. This means that authorized users should have business information on a timely basis and in a format that suits their needs. Risk factors that affect any of these information characteristics, such as relevance, timeliness, integrity, confidentiality, and availability, must be considered in the overall risk management process for the organization. Any detrimental impact on these characteristics presents a risk to the business mission.

EXAM TIP    Many elements of risk management can be traced back to the three information security goals or the security tenets discussed earlier in the chapter. You should be able to examine risk and determine how it can be traced back to (and how it affects) those goals and tenets.

Organizational Structures

How the business is organized can help drive how it deals with risk, in several ways. Most businesses are organized from a functional perspective; in other words, there are departments and other hierarchical structures established to take care of specific functions that contribute to the business goals and objectives. For example, in a production-driven business, there may be a manufacturing or production department, an engineering department, a research and development department, or an assembly line. There will likely be additional departments that cover support functions, such as marketing, accounting and finance, public relations, and so on. A hospital, on the other hand, will be organized according to its specific functions, such as the emergency department, surgery, neurology, radiology, and so on. Businesses in other markets or areas will be organized differently as well. In any case, the organization of the business is structured as its mission and business purposes dictate. There are certain functions that may be found in any business and may deal with information technology, information security, or even legal compliance. These functional areas may have the primary function of dealing with risk, but an important thing to consider is that all different organizational structures, from lower-level work sections to higher-level departments and divisions, have responsibilities regarding risk.

The organization must look at its structure and decide how each individual unit will manage risk at its own level, understanding that risk management must be uniform throughout the entire organization. Another consideration is that risks tend to “roll up,” or be combined at the higher levels of organization. For example, risks that the accounting department incurs are only part of the higher organizational levels’ risks and included in the risk management processes. Each lower-level unit in an organizational hierarchy has risks that are part of the next higher levels’ risk considerations. While individual units may be responsible for only a small piece of the overall organizational risk, their parent units also bear responsibility for managing that risk, as well as the risk of other subordinate units. Another concept relating to organizational structures is that the risk incurred by one part of the organization is borne by all parts of the organization; there is almost no such thing as risk that affects only one small part of the business. Risk ripples across the entire organization in some way.

Each individual unit, whether it is a unit in the lower levels of the business hierarchy or at the highest levels, must take steps to identify, evaluate, and assess risks at their level. Risks may be thought of as tactical, operational, and strategic. Tactical risks are those that are encountered by smaller-level production sections, in other words, those that carry out the day-to-day work of the organization. Operational risks can span several work units and relate to how the business conducts its functions, as well as how the different work units interact with each other. Strategic risk is borne at the higher levels of the organization, including senior management, and involves risks incurred by leading the business toward opportunities and away from decisions that exceed the organization’s capacity for risk appetite and tolerance. Respectively, these three types of risks also correspond to short-term, mid-term, and long-term risks.

Regardless of the level of risk incurred within the organization, there must be an enterprise risk management strategy and program in place to deal with the lower-tier, middle-tier, and higher-tier risks, as well as ensure that all of the risks are managed consistently and uniformly. Governance from the higher levels of the organization affects risk appetite and tolerance and shapes the organization’s risk management strategy throughout all the different hierarchical levels. Organizational structure must support that governance, as well as clearly define lines of authority and responsibility in terms of risk leadership and management.

Information Systems Architecture

The information technology architecture within the organization affects the risk of the business in several ways. Aspects of IT architecture risk include interoperability, supportability, security, maintenance, and how the different pieces and parts of the infrastructure fit into the systems development life cycle. The business views IT as an investment of capital funds, much as it would facilities and other equipment, as a means to an end in supporting the business mission. Information systems represent risk to the business because of the aforementioned interoperability, supportability, security, and other issues. It costs the organization money to maintain and support all of the IT assets within the company, in the form of parts, training for administrators and users, and upgrades. There are also the intangible aspects of IT, such as business value and liability. IT systems affect the bottom line of the organization, so there’s a lot of thought put into managing risk for them. Additionally, you should take care to remember that information technology risk is only a piece of the entire enterprise risk picture. In the next few sections, we’ll talk about different aspects of the information systems architecture and how they contribute to the overall enterprise risk in the organization.


Platforms are the operating systems and distinct architectures the business information systems run on. Businesses could use the Windows and Unix platforms or the Intel and SPARC platforms. Platforms are an element of the IT infrastructure that contributes to the information security and business risk for several reasons. First, it costs to simultaneously maintain different operating systems and environments that come in different platforms. Platforms also introduce risk into the environment in the form of interoperability, security, and supportability. A diverse platform environment (with mixed platforms, such as Windows, Linux, Macs, Unix, and so on) can affect interoperability with other systems because of differing versions of software and different network protocols, security methods, and so on. A diverse environment can also affect supportability because the organization must maintain different skill sets and a wide knowledge base in order to support the diverse platforms.

On the other hand, maintaining a homogeneous environment can reduce costs, ensure interoperability, and allow a more common set of security controls and mechanisms, such as patch management and configuration management. However, there is even risk involved in a homogeneous platform environment because of the likelihood that a vulnerability discovered in one system would also be shared in many others, offering a wider attack vector for a potential malicious actor. It is really a matter of the systems development life cycle (SDLC) as to how and when platforms are developed, introduced into the infrastructure, implemented, maintained, and, eventually, disposed of, and there is risk inherent to all of these different phases, which we’ll discuss more in 
Chapter 2


A network is another aspect of the IT infrastructure that inserts risk into the business environment. While networks are necessary to carry data both within and outside of the organization, these benefits do not come without some degree of risk. Risk can be introduced from a variety of issues, such as unsecured protocols, lack of encryption for data in transit, improper data or system access through weak authentication mechanisms, interception and modification of data, and so on. Networks should be designed to carefully control traffic during all aspects of data transmission, routing, and reception in order for a network to be considered secure.


Applications introduce risk simply because in this day and age they’re so critical to the operations of businesses. Businesses need not only basic word-processing and spreadsheet software but also complex databases, line-of-business applications, specialized software, security software, and other types of applications. Applications have to be managed to their own life cycles as well; they’re constantly being patched, upgraded, superseded, and replaced by better, faster software with more features that usually cost more. Risks that are inherent to managing applications within an organization include supportability, backward compatibility, data format compatibility, licensing, and proper use.

Adding to this complexity are the decisions an organization makes in terms of selecting proprietary software, open source software, general-purpose commercial software, or highly specialized software. All of these different categories incur different levels of cost, supportability, licensing, and feature sets. Interoperability also plays a part in application risk, like it does with other infrastructure components. Applications that do not use common data formats or produce usable output for the organization create risk of expense or additional work that goes into transforming data between incompatible applications. Applications also introduce risk into the business environment with the level of security mechanisms built into them and how effective those security mechanisms are in protecting data residing in the application.

It’s worth mentioning here that web-based applications, in addition to presenting the same risks as normal client-server apps, also have their own unique risks. Security is a definite risk imposed by web-based applications since they often directly connect to unprotected networks, such as the Internet. Other risks include those that come from the wide variety of web programming languages and standards available for developers to use.


Databases, as a subset of applications, impose some of the same risks that applications and other software do. Additionally, databases incur risks associated with data aggregation, compatibility, privacy, and security. Aggregation and inference are risks associated with database systems. Unauthorized access and data loss are also huge risks that databases introduce into the enterprise environment.

Operating Systems

Although we discussed platforms in a previous section, it’s worth mentioning operating systems as their own separate risk element in the IT infrastructure. Platforms and operating systems are sometimes used interchangeably, but truthfully, a platform is more a hardware architecture than an operating system categorization. A platform could be an Intel PC or a tablet chipset, for example, which is designed and architected differently and run on totally different operating systems. Different operating systems, on the other hand, could run on the same platform but still introduce risk into the organization, for the same reasons discussed previously with applications. First, there are interoperability and supportability risks and all of the other issues that go hand-in-hand with the normal operating system life cycle, such as patch and vulnerability management. Licensing, standardization, level of user control, and configuration are also issues that introduce risk into the organizational computing environment.

EXAM TIP    Although information security professions tend to focus more on the technical aspects of IT risks, for the exam keep in mind that all IT risks contribute to the overall business risks in the enterprise as well. Make sure you look at the larger picture beyond the IT realm.

Managing Risk Ownership

It makes sense that the organization owns all of the risk that it incurs, which is definitely true to a certain extent. However, within each organization, there are areas that “own” their own piece of risk; in other words, they are responsible for managing it and responding to it. In some cases, they are also responsible for identifying, analyzing, and evaluating risk as it pertains to their functional or defined area. Risk ownership is an effort that requires risk owners to take responsibility for their areas of risk and ensure that they are properly managed throughout its life cycle. In this section, we’ll cover risk ownership in-depth and how it relates to the concepts of risk tolerance and appetite that we discussed earlier in the chapter.

Another related area to risk ownership is that of risk awareness training. The reason this is related to risk ownership is that everyone in the organization, including those responsible for managing risk, must be aware of how risk is identified, evaluated, managed, and responded to throughout the organization. They should also be made aware of the risk management strategy the organization uses and their role in that strategy. This section will also cover risk awareness training and how to implement it within the organization.

Risk Ownership

Risk ownership is a concept that provides a focal point for responsibility and accountability for managing risk throughout its life cycle, including identifying it, assessing and evaluating it, responding to it, and monitoring it. Risk owners take responsibility for risk in their own functional domains within an organization, although you should understand that the risk from several areas is usually “rolled up” into overall organizational risk and is owned by the senior executives or board members who are legally responsible for the organization. There are several components to risk ownership.

The first component is governance. Governance, remember, can be external laws and regulations that the organization is required to comply with. It can also be internal regulations and requirements set by senior leadership within the organization. As part of governance, the organization should set a formal risk strategy and risk management plan, which should detail how risk ownership is defined within the organization. Risk ownership may be defined by functional area, hierarchy within the organization, or any number of other factors.

Other components of risk ownership include responsibility, accountability, and the ability to control the resources that can effectively manage risk (people, funding, equipment, supplies, facilities, and so on). Responsibility means someone has been given the formal authority to manage risk, either by position or by specific appointment from the organization’s leaders. A risk owner may have responsibility for a specific area of risk. Responsibility also means that the risk owner bears the burden of being held accountable for their actions in risk management. Accountability means that risk owners must be prepared to take the consequences for success or failure of the risk management efforts. Finally, risk owners must be given the resources and the authority to control those resources in order to effectively manage risk within their area of responsibility. If they have the responsibility and accountability but don’t have any control over resources to help manage risk, they will be quite ineffective and won’t be able to meet their responsibilities.

EXAM TIP    Remember that regardless of what area within the organization is considered a risk owner, ultimately the responsibility for owning and managing risk belongs to the highest level within the organization. This would likely be either the person or the group that has legal liability and responsibility for the organization, such as the chief executive officer (CEO) or the board of directors, as appropriate.

Risk ownership is directly affected by appetite and tolerance. Since these two factors are derived from the organization, they are defined by senior leaders and management, boards of directors, shareholders, and other key entities within the organization. Governance can also help drive risk appetite and tolerance; the organization may establish rules and regulations that strictly limit or are less restrictive toward taking and managing risk. The organization’s take on appetite and tolerance directly affects risk ownership because risk owners must manage the risk within their areas based upon these two factors in order to be in line with the organization. Senior leaders, shareholders, and boards of directors must establish the organizational risk culture in order to give boundaries to risk owners within the organization. They may also require that risk owners consult and validate risk decisions with senior management, based upon different threshold or tolerance levels.

EXAM TIP    Remember that risk acceptance and tolerance come from the senior management levels of the organization and drive the organization’s risk culture. They also drive how risk ownership is defined and structured within the organization.

Risk Awareness

Risk awareness is a necessary part of risk management. It can’t be viewed as simply just another two-hour training session to check a box for management or compliance. Risk awareness is essential because it helps form and maintain the organization’s risk culture. It also educates personnel at all levels of the organization, including employees, managers, and senior leadership, on the organization’s risk strategy, its appetite and tolerance levels for risk, its risk management plan, and other relevant topics necessary to manage risk in the organization. Beyond the education on organizational governance and risk management processes, awareness training can give all members of the organization the knowledge they need to better identify, assess and evaluate, and respond to risk. Risk awareness training may be required for compliance with governance in some cases, but even if it’s not, it should be considered critical to the overall risk management strategy in the organization and given its due consideration in the organizational priority list. The next two sections will discuss the different tools and techniques used in risk awareness training and how to develop a risk awareness program within an organization.

Risk Awareness Tools and Techniques

Like most training, risk awareness training should meet several criteria. First, it should be geared toward specific groups of audiences. This might include basic employee training that everyone receives, more advanced training for managers or senior leaders, and in-depth training for those personnel with assigned risk management responsibilities, such as risk owners, risk analysts, and so on. Second, training shouldn’t be a one-time event. Periodic, recurring training is a good idea simply because it can be used to reinforce and refresh stale knowledge and bring trainees up-to-date on the latest tools, techniques, and risk considerations. Finally, risk awareness training should be well organized and conducted by knowledgeable instructors, both from inside and outside the organization. Internal trainers can give the benefit of the organization’s specific views on risk culture, appetite, and tolerance, while external trainers bring the benefit of objective knowledge and risk management methods from industry.

The subject of the training depends upon the audience, of course. The basics may include familiarization training with rules and regulations regarding risk within the organization, as well as the basic steps of risk management. Basic concepts and definitions may also be provided in familiarization training. Specific training on risk management techniques and tools may be reserved for those employees who have direct risk management responsibilities. There also may need to be training for senior leadership on how to develop risk management strategy and plans for the organization.

There are several ways that an organization can deliver risk awareness training; different combinations of all of them should probably be used to deliver an effective training program. Classroom training is, of course, one standard method. Other methods might include individual-based training that comes from reading, computer-based training, and so on. Employees might also be required to read a risk management handbook that defines the different rules and regulations covering risk within the organization. Specialized training on risk management might have to be provided by an external training provider for those individuals with defined risk management responsibilities.

Developing an Organization Risk Awareness Program

Establishing a risk awareness program in an organization can be a challenge. One way organizations fail is to simply direct someone to develop a training program when the organization has not even established its risk management strategy or plans. Developing the organization’s take on risk is an essential first step before implementing risk awareness training. The organization has to develop, formally if possible, its stance on risk appetite and tolerance, as well as its risk management strategy. It should decide what risk management methodologies it will use, as well as what standards and frameworks. Only then can a training program be developed based upon a good solid risk management framework within the organization.

Establishing the risk awareness training program also requires buy-in from management at all levels. The program should be adequately funded, and allowances should be made for employees to be able to take part in the training. Management should be committed to risk awareness training as part of its overall risk management strategy. Sufficiently trained and experienced instructors or a training program manager should be selected in order to develop and maintain the program. Finally, the training program should articulate not only the risk culture of the organization but also the different risk management needs the organization has. These might include its specific risk factors, threats, vulnerabilities, and so on, taken into account when the training is developed. Employees who participate in risk awareness training should be able to easily put into practice the concepts, tools, and techniques they learn. Additionally, the training program should be periodically evaluated for effectiveness, as well as updated with current risks, governance, tools, and techniques.

Beyond initial or recurring risk awareness training, ongoing communication within the organization is a must for effectively managing risk awareness. Employees in general, but also specifically those with key risk management duties, should be given information on an ongoing basis regarding organizational risks and how to manage and deal with them. Obviously, some information would be restricted from the general organizational population, but specific instances of threats and vulnerabilities, risk factors, and so on, should be provided to risk managers in key areas so they can keep updated on the most current risk posture for the organization.

Exercise 1-1: Developing a Risk Awareness Program

Review any risk awareness training programs, procedures, or documents within your organization. How often is training conducted? Is it geared toward both the general population of the organization and the specific key roles and responsibilities? Does it cover not only regulations but also risk management methodologies and frameworks? What suggestions could you make to your organization regarding the improvement of its risk awareness training program?

TIP    While training programs are sometimes the first things that are cut from the budget or the last things to be developed in a program, don’t underestimate the importance of risk awareness training within the overall risk management strategy. Not only can training make the risk management process within the organization more effective, but it can also help reduce or mitigate risks by itself since it also has the effect of educating people on risk and this alone may even help minimize it.

Legal and Governance

An organization’s way of dealing with risk—how it formulates strategy, risk management plans, risk response methods, and so forth—comes from a desire to succeed in its business, mission, and goals, of course. But risk management can also be compulsory and not just a smart way of doing business. How an organization manages risk is often directive in nature and can come from different types of governance. Governance includes laws, regulations, and statutes, of course, but it also includes organizational directives. Policies, as well as the procedures and standards that support them, are also considered governance. Depending on its source, different types of governance may be legally binding or not. Obviously, laws and statutes are legally binding, while organizational policy may not necessarily be so.

As a risk manager, you should know something about the various laws and regulations that require an organization to engage in a definitive, coherent risk management strategy and process. While a detailed legal discussion of the dozens of laws and regulations that compel an organization to establish a risk management program are beyond the scope of this book, you should have an understanding of some of the key directives that govern risk management with regard to information protection. This section will discuss a few of those key regulations, as well as how to identify the governance that applies to your organization and how that governance drives your risk management strategy.

Laws, Regulations, and Standards

Many of the different laws and regulations that govern risk management in organizations are business sector and data specific; that is, they specifically apply to a particular area or type of data. For instance, the Health Information Portability and Accountability Act (HIPAA) requires hospitals, doctors, clinics, and other healthcare providers to establish a risk management program to protect sensitive healthcare information. HIPAA wouldn’t apply to a bank or financial company, although other laws would. We’ll discuss some of these in the upcoming paragraphs.

One of the most common laws requiring risk management within the information technology world is the Federal Information Security Management Act (FISMA) of 2002. FISMA applies to all U.S. federal government agencies, requiring them to establish information security programs for all federal systems, as well as report risk management and compliance information on an annual basis. FISMA is implemented using various programs within the federal government, depending upon the agency. For example, the U.S. Department of Defense implemented FISMA using the Defense Information Assurance Certification and Accreditation Program (DIACAP) as its vehicle for IT risk management in 2006 but has since replaced it (in March 2014) with NIST’s Risk Management Framework. The RMF, as described earlier, provides a risk management process for use in all federal agencies.

The aforementioned HIPAA applies to healthcare providers in the United States and specifically requires that a formal risk management program be established in its Security Rule subsections. The rule further states that risk assessments be performed on all systems that process electronic protected health information (EPHI). Healthcare providers are subject to periodic audits to verify that the provisions requiring risk management are followed.

The Payment Card Industry Data Security Standards (PCI-DSS) were developed by the members of the payment card industry, such as Visa, MasterCard, and so on, to establish a recognized set of standards for information security that applies across all industry partners (for example, banks, retailers, and card issuers). While more technical in nature, the standards require information security policies, vulnerability management, and other risk-based security controls to protect cardholder data.

Financial institutions (banks, brokerage companies, and so on) are the primary focus of the Gramm-Leach-Bliley Act (GLBA), although it also applies to some extent to other organizations. GLBA requires periodic risk analysis performed on processes that deal with nonpublic financial information and personal financial data. While GLBA was primarily designed to allow certain types of financial institutions to merge and interoperate, important risk management requirements were also put into place with this law, such as the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Protection. These rules were included in this legislation to protect consumer privacy, establish information security safeguards (including risk management and analysis), and guard against social engineering attacks, respectively.

Identifying Legal and Governance Requirements in the Organization

Regardless of the type of market or segment in which your organization is involved, there are likely requirements levied by the law, regulations, contract requirements, and even internal organizational policies that require some type of risk management program to be developed and put into place. Obviously, if your organization is a federal agency, a healthcare provider, or some type of financial institution, then you probably fall under the requirements from one of the laws described earlier. Additionally, if you process any type of consumer credit cards or maintain financial information on individuals, they likely fall under at least the PCI-DSS, if not others. However, even if your organization does not fall under one of the previous categories, you may have legal or regulatory requirements to maintain a risk management program. Often, businesses are members of the industry associations or professional organizations that require risk management as a condition of membership. Additionally, contractual agreements with other organizations often have stipulations built in that require risk management.

Some of these nonregulatory requirements may include requirements for the organization to have a risk management program, for the organization to perform risk assessments and analysis, and for the organization to demonstrate due care and diligence in reducing or mitigating risk. While some of these requirements might not be specifically stated as “risk management” activities, they may come in the form of requirements to maintain security policies, require separation of duties or data, implement standard safeguards (such as strong authentication and encryption methods, for example), and periodically test systems for vulnerabilities. Regardless of how they are stated in policies or contracts, these requirements can be legally used to determine liability for an organization in the event its risk management activities are ever questioned.

When determining legal or regulatory requirements for risk management activities, you should consult with both your organization’s legal representatives, as well as its executive management. You should also research any requirements levied by external organizations or contractual obligations. You must take these requirements into account when developing a risk management program, as well as when developing an information security program. These requirements will likely impact the organization’s stance on risk, as well as its levels of risk appetite and tolerance.

Exercise 1-2: Identifying Legal, Regulatory, and Contractual Requirements

For this exercise, you should attempt to identify and record any legal, regulatory, or other requirements levied on your organization that require a risk management program or activities. You could consult your legal department, talk to senior management, or even perform research on similar organizations. In your attempt to identify these requirements, you may actually uncover other sources that could require risk management activities within your organization. How do these requirements affect your business? Do they influence the organization’s risk appetite and tolerance levels? How are information security programs developed and implemented to meet the requirements for risk management levied by these laws, regulations, or contract requirements?

Chapter Review

In this first chapter, we discussed fundamental concepts of both security and risk management. The three goals of security, known as the CIA triad, are confidentiality, integrity, and availability. Supporting these three goals are other elements of security, such as access control, data sensitivity and classification, identification, authentication, authorization, accountability, and, finally, nonrepudiation.

Risk management is the overall process of developing a strategy for addressing risk throughout its life cycle and includes several components, including risk identification, evaluation, and assessment. We discussed the different concepts associated with risk management, including the threat agents, threats, and vulnerabilities that are associated with assets. We also looked at the variables that affect how these elements create risk: likelihood and impact. The relationships between these elements are what define risk. We also looked at the organizational culture and examined the definitions for risk appetite and risk tolerance.

We then defined standards, frameworks, and practices, and we detailed some of the ones relevant to risk management. We looked at the NIST Risk Management Framework, COBIT 5, and the Risk IT Framework.

We then looked at the business perspectives of IT risk management and discussed how risk from the IT perspective is only a subset of the overall enterprise risk. We examined how business views risk from a mission perspective and covered the criteria business information must meet in order to support that mission. Organizational structures also affect the overall business risk since how the business is organized affects how it incurs and manages risk. We also looked at various elements of information systems architecture and some of the inherent risks involved with those elements. Platforms, networks, applications, databases, and operating systems are all elements of the infrastructure that contribute not only to the IT risk but also to the overall enterprise risk.

We then examined concepts of risk ownership and risk awareness. Risk ownership, while ultimately held by the senior levels of the organization, is also shared by people who have responsibilities and accountability to manage risk within their areas of control. Risk awareness is an educational program that should be implemented to provide the right level of risk-related training to both employees and managers. Risk awareness training can actually help reduce risk throughout the organization. A risk awareness also means keeping the members of an organization informed on the current risk environment.

Finally, we concluded this chapter with a discussion of legal, regulatory, and contractual requirements levied on organizations that make risk management programs and activities mandatory. We discussed a few examples of common laws, such as HIPAA, GLBA, and FISMA, as well as the PCI-DSS; they require organizations to implement and maintain formalized risk management activities.



ved N


ST Technical Series Publication

The attached publication has been archived (withdrawn), and is provided solely


or historical purposes.
It may have been superseded by another publication (indicated below).

Archived Publication



Publication Date(s):

Withdrawal Date:

Withdrawal Note:

Superseding Publication(s)

The attached publication has been superseded by the following publication(s):



Publication Date(s):


Additional Information (if applicable)


Latest revision of the

attached publication:

Related information:

announcement (link):

Date updated: June 9, 20



NIST Special Publication 800-30

Risk Management Guide for Information Technology Systems

July 2002

September 2012

SP 800-30

is superseded in its entirety by the publication of
SP 800-30 Revision 1 (September 2012).

NIST Special Publication 800-30 Revision


Guide for Conducting Risk Assessments

Joint Task Force Transformation Initiative

September 2012

Computer Security Division (Information Technology Lab)

SP 800-30 Revision 1 (as of June 19, 2015)









National Institute of
Standards and Technology

Technology Administration

U.S. Department of Commerce

NIST Special Publication

Risk Management Guide
for Information Technology
Recommendations ofthe National Institute

of Standards and Technology

Gary Stoneburner, Alice Goguen, and

Alexis Feringa


rhe National Institute of Standards and Teciinology was established in 1988 by Congress to “assist
industry in the development of technology . . . needed to improve product quality, to modernize manufacturing

processes, to ensure product reliability . . . and to facilitate rapid commercialization …of products based on new scientific


NIST, originally founded as the National Bureau of Standards in 1901, works to strengthen U.S. industry’s

competitiveness; advance science and engineering; and improve public health, safety, and the environment. One of the

agency’s basic functions is to develop, maintain, and retain custody of the national standards of measurement, and provide

the means and methods for comparing standards used in science, engineering, manufacturing, commerce, industry, and

education with the standards adopted or recognized by the Federal Government.

As an agency of the U.S. Commerce Department’s Technology Administration, NIST conducts basic and

applied research in the physical sciences and engineering, and develops measurement techniques, test

methods, standards, and related services. The Institute does generic and precompetitive work on new and

advanced technologies. NIST’s research facilities are located at Gaithersburg, MD 20899, and at Boulder, CO 80303.
Major technical operating units and their principal activities are listed below. For more information contact the Publications

and Program Inquiries Desk, 301-975-3058.

Office of the Directo


• National Quality Program
• International and Academic Affairs

Technology Services
• Standards Services

• Technology Partnerships
• Measurement Services
• Information Services

Advanced Technology Program
• Economic Assessment
• Information Technology and Applications

• Chemistry and Life Sciences

• Materials and Manufacturing Technology

• Electronics and Photonics Technology

Manufacturing Extension Partnership

• Regional Programs

• National Programs
• Program Development

Electronics and Electrical Engineering

• Microelectronics

• Law Enforcement Standards
• Electricity

• Semiconductor Electronics

• Radio-Frequency Technology

• Electromagnetic Technology’

• Optoelectronics’

Materials Science and Engineering

• Theoretical and Computational Materials Science
• Materials Reliability’

• Ceramics

• Polymers
• Metallurgy

• NIST Center for Neutron Research

Chemical Science and Technology

• Biotechnology

• Physical and Chemical Properties’
• Analytical Chemistry

• Process Measurements
• Surface and Microanalysis Science

Physics Laboratory
• Electron and Optical Physics

• Atomic Physics
• Optical Technology
• Ionizing Radiation

• Time and Frequency’
• Quantum Physics’

Manufacturing Engineering

• Precision Engineering

• Automated Production Technology
• Intelligent Systems

• Fabrication Technology
• Manufacturing Systems Integration

Building and Fire Research Laboratory
• Applied Economics
• Structures

• Building Materials

• Building Environment
• Fire Safety Engineering

• Fire Science

Information Technology Laboratory

• Mathematical and Computational Sciences^

• Advanced Network Technologies
• Computer


• Information Access and User Interfaces
• High Performance Systems and Services
• Distributed Computing and Information Services
• Software Diagnostics and Conformance Testing
• Statistical Engineering

‘At Boulder, CO 80303.
Some elements at Boulder, CO.

NisT Special Publication 800-30 Risk Management Guide
for Information Technology
Recommendations ofthe National Institute

of Standards and Technology
Gary Stoneburner, Alice Goguen, and
Alexis Feringa


Computer Security Division

Information Technology Laboratory

National Institute of Standards and Technology

Gaithersburg, MD 20899-8930

July 2002
U.S. Department of Commerce

Donald L. Evans, Secretary

Technology Administration

Phillip J. Bond, Under Secretary of Commercefor Technology

National Institute of Standards and Technology

Arden L. Bement, Jr., Director

Reports on Information Security Technology

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST)

promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement

and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept

implementations, and technical analyses to advance the development and productive use of


technology. ITL’s responsibilities include the development of technical, physical, administrative, and

management standards and guidelines for the cost-effective security and privacy of sensitive unclassified

information in Federal computer systems. This Special Publication 800-series reports on ITL’s research,

guidance, and outreach efforts in computer security, and its collaborative activities with industry, government,

and academic organizations.

Certain commercial entities, equipment, or materials may be identified in this document in order to describe an

experimental procedure or concept adequately. Such identification is not intended to imply recommendation or

endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities,

materials, or equipment are necessarily the best available for the purpose.

National Institute of Standards and Technology Special Publication 800-30
Natl. Inst. Stand. Technol. Spec. Publ. 800-30, 54 pages (July 2002)





For sale by the Superintendent of Documents, U.S. Government Printing Office

Internet: bookstore.gpo.gov — Phone: (202) 5 1 2- 1 800 — Fax: (202) 5 1 2-2250
Mail: Stop SSOP Washington, DC 20402-0001


The authors, Gary Stonebumer from NIST and Ahce Goguen and Alexis Feringa from Booz
Allen Hamilton, wish to express their thanks to their colleagues at both organizations wh


reviewed drafts of this document. In particular, Timothy Grance, Marianne Swanson, and Joan

Hash from NIST and Debra L. Banning, Jeffrey Confer, Randall K. Ewell, and Waseem
Mamlouk from Booz Allen Hamilton, provided valuable insights that contributed substantially to
the technical content of this document. Moreover, we gratefully acknowledge and appreciate the
many comments from the public and private sectors whose thoughtful and constructive
comments improved the quality and utility of this publication.

SP 800-30 Page




1.1 Authority
1.2 Purpose

1.3 Objective

1.4 Target Audience
1.5 Related References
1.6 Guide Structure


2.1 Importance of

Risk Management

2.2 Integration of Risk Management into SDLC ..
2.3 Key Roles


3.1 Step 1 :

System Characterization

3.1.1 System-Related Information

3.1.2 Information-Gathering Techniques

3.2 Step 2:

Threat Identification

3.2.1 Threat-Source Identification

3.2.2 Motivation and Threat Actions

3.3 Step 3: Vulnerability Identification

3.3.1 Vulnerability Sources

3.3.2 System Security Testing ,

3.3.3 Development ofSecurity Requirements Checklist .

3.4 Step 4: Control Analysis

3.4.1 Control Methods

3.4.2 Control Categories

3.4.3 Control Analysis Technique

3.5 Step 5 :

Likelihood Determination

3.6 Step 6: Impact Analysis

3.7 Step?: Risk Determination

3.7.1 Risk-Level Matrix

3.7.2 Description ofRisk Level

3.8 Step 8: Control Recommendations
3.9 Step 9:

Results Documentation


4.1 Risk Mitigation Options

4.2 Risk Mitigation Strategy
4.3 Approach for Control Implementation ,
4.4 Control Categories

4.4.1 Technical Security Controls

4.4.2 Management Security Controls

4.4.3 Operational Security Controls

4.5 Cost-Benefit Analysis

4.6 Residual



5.1 Ciood Security Practice

5.2 Keys for Success

Appendix A—Sample Interview Questions A-
Appendix B—Sample Risk Assessment Report Outline B-

SP 800-30 Page

Appendix C—Sample Implementation Safeguard Plan Summary Table C-1
Appendix D—Acronyms D-1
Appendix E—Glossary E-1
Appendix F—References F-



Figure 3-1 Risk Assessment Methodology Flowchart 9

Figure 4-1 Risk Mitigation Action Points 28

Figure 4-2 Risk Mitigation Methodology Flowchart 3


Figure 4-3 Technical Security Controls 33

Figure 4-4 Control Implementation and Residual Risk 40


Table 2-1 Integration of Risk Management to the SDLC 5

Table 3-1 Human Threats: Threat-Source, Motivation, and Threat Actions 14

Table 3-2 Vulnerability/Threat Pairs 15

Table 3-3 Security Criteria 18

Table 3-4 Likelihood Definitions 21

Table 3-5 Magnitude of Impact Definitions 23

Table 3-6 Risk-Level Matrix 25

Table 3-7 Risk Scale and Necessary Actions 25

SP 800-30 Page v




Every organization has a mission. In this digital era, as organizations use automated information

technology (IT) systems^ to process their information for better support of their missions, risk

management plays a critical role in protecting an organization’s information assets, and therefore

its mission, from IT-related


An effective risk management process is an important component of a successful IT security
program. The principal goal of an organization’s risk management process should be to protect

the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk

management process should not be treated primarily as a technical function carried out by the IT

experts who operate and manage the IT system, but as an essential management function of the


This document has been developed by NIST in furtherance of its statutory responsibilities under
the Computer Security Act of 1987 and the Information Technology Management Reform Act of
1996 (specifically 15 United States Code (U.S.C.) 278 g-3 (a)(5)). This is not a guideline within

the meaning of 15 U.S.C 278 g-3 (a)(3).

These guidelines are for use by Federal organizations which process sensitive information.

They are consistent with the requirements of 0MB Circular A-130, Appendix HI.

The guidelines herein are not mandatory and binding standards. This document may be used by
non-governmental organizations on a voluntary basis. It is not subject to copyright.

Nothing in this document should be taken to contradict standards and guidelines made
mandatory and binding upon Federal agencies by the Secretary of Commerce under his statutory
authority. Nor should these guidelines be interpreted as altering or superseding the existing

authorities of the Secretary of Commerce, the Director of the Office of Management and Budget,

or any other Federal official.


Risk is the net negative impact of the exercise of a vulnerability, considering both the probability

and the impact of occurrence. Risk management is the process of identifying risk, assessing risk,

and taking steps to reduce risk to an acceptable level. This guide provides a foundation for the

development of an effective risk management program, containing both the definitions and the

practical guidance necessary for assessing and mitigating risks identified within IT systems. The

ultimate goal is to help organizations to better manage IT-related mission


1 The term “IT system” refers to a general support system (e.g., mainframe computer, mid-range computer, local

area network, agencywide backbone) or a major application that can run on a general support system and whose

use of information resources satisfies a specific set of user requirements.

SP 800-30 Page 1

In addition, this guide provides information on the selection of cost-effective security controls.^

These controls can be used to mitigate risk for the better protection of mission-critical

information and the IT systems that process, store, and carry this information.

Organizations may choose to expand or abbreviate the comprehensive processes and steps
suggested in this guide and tailor them to their environment in managing IT-related mission



The objective of performing risk management is to enable the organization to accomplish its
mission(s) (1) by better securing the IT systems that store, process, or transmit organizational

information; (2) by enabling management to make well-informed risk management decisions to
justify the expenditures that are part of an IT budget; and (3) by assisting management in

authorizing (or accrediting) the IT systems-^ on the basis of the supporting documentation

resulting from the performance of risk management.


This guide provides a common foundation for experienced and inexperienced, technical, and
non-technical personnel who support or use the risk management process for their IT systems.

These personnel


• Senior management, the mission owners, who make decisions about the IT security

• Federal Chief Information Officers, who ensure the implementation of risk
management for agency IT systems and the security provided for these IT systems

• The Designated Approving Authority (DAA), who is responsible for the final
decision on whether to allow operation of an IT system

• The IT security program manager, who implements the security program

• Information system security officers (ISSO), who are responsible for IT security

• IT system owners of system software and/or hardware used to support IT functions.

• Information owners of data stored, processed, and transmitted by the IT systems

• Business or functional managers, who are responsible for the IT procurement process

• Technical support personnel (e.g., network, system, application, and database

administrators; computer specialists; data security analysts), who manage and
administer security for the IT systems

• IT system and application programmers, who develop and maintain code that could
affect system and data integrity

The terms “safeguards” and “controls” refer to risk-reducing measures; these terms are used interchangeably in

this guidance document.

Office of Management and Budget’s November 2000 Circular A-130, the Computer Security Act of 1987, and the
Government Information Security Reform Act of October 2000 require that an IT system be authorized prior to

operation and reauthorized at least every 3 years thereafter.

SP 800-30 Page 2

• IT quality assurance personnel, who test and ensure the integrity of the IT systems
and data

• Information system auditors, who audit IT systems

• IT consultants, who support clients in risk management.


This guide is based on the general concepts presented in National Institute of Standards and

Technology (NIST) Special Publication (SP) 800-27, Engineering Principlesfor IT Security,

along with the principles and practices in NIST SP 800-14, Generally Accepted Principles and
Practicesfor Securing Information Technology Systems. In addition, it is consistent with the

policies presented in Office of Management and Budget (0MB) Circular A-130, Appendix III,
“Security of Federal Automated Information Resources”; the Computer Security Act (CSA) of

1987; and the Government Information Security Reform Act of October 2000.


The remaining sections of this guide discuss the following:

• Section 2 provides an overview of risk management, how it fits into the system
development life cycle (SDLC), and the roles of individuals who support and use this


• Section 3 describes the risk assessment methodology and the nine primary steps in

conducting a risk assessment of an IT system.

• Section 4 describes the risk mitigation process, including risk mitigation options and

strategy, approach for control implementation, control categories, cost-benefit

analysis, and residual risk.

• Section 5 discusses the good practice and need for an ongoing risk evaluation and

assessment and the factors that will lead to a successful risk management program.

This guide also contains six appendixes. Appendix A provides sample interview questions.
Appendix B provides a sample outline for use in documenting risk assessment results. Appendix
C contains a sample table for the safeguard implementation plan. Appendix D provides a list of
the acronyms used in this document. Appendix E contains a glossary of terms used frequently in
this guide. Appendix F lists references.

SP 800-30 Page 3


This guide describes the risk management methodology, how it fits into each phase of the SDLC,
and how the risk management process is tied to the process of system authorization (or


Risk management encompasses three processes: risk assessment, risk mitigation, and evaluation

and assessment. Section 3 of this guide describes the risk assessment process, which includes

identification and evaluation of risks and risk impacts, and recommendation of risk-reducing

measures. Section 4 describes risk mitigation, which refers to prioritizing, implementing, and

maintaining the appropriate risk-reducing measures recommended from the

risk assessment

process. Section 5 discusses the continual evaluation process and keys for implementing a

successful risk management program. The DAA or system authorizing official is responsible for
determining whether the remaining risk is at an acceptable level or whether additional security

controls should be implemented to further reduce or eliminate the residual risk before

authorizing (or accrediting) the IT system for operation.

Risk management is the process that allows IT managers to balance the operational and

economic costs of protective measures and achieve gains in mission capability by protecting the

IT systems and data that support their organizations’ missions. This process is not unique to the

IT environment; indeed it pervades decision-making in all areas of our daily lives. Take the case

of home security, for example. Many people decide to have home security systems installed and
pay a monthly fee to a service provider to have these systems monitored for the better protection

of their property. Presumably, the homeowners have weighed the cost of system installation and

monitoring against the value of their household goods and their family’s safety, a fundamental

“mission” need.

The head of an organizational unit must ensure that the organization has the capabilities needed

to accomplish its mission. These mission owners must determine the security capabilities that

their IT systems must have to provide the desired level of mission support in the face of real-

world threats. Most organizations have tight budgets for IT security; therefore, IT security

spending must be reviewed as thoroughly as other management decisions. A well-structured risk
management methodology, when used effectively, can help management identify appropriate

controls for providing the mission-essential security



Minimizing negative impact on an organization and need for sound basis in decision making are

the fundamental reasons organizations implement a risk management process for their IT

systems. Effective risk management must be totally integrated into the SDLC. An IT system’s
SDLC has five phases: initiation, development or acquisition, implementation, operation or
maintenance, and disposal. In some cases, an IT system may occupy several of these phases at
the same time. However, the risk management methodology is the same regardless of the SDLC
phase for which the assessment is being conducted. Risk management is an iterative process that

can be performed during each major phase of the SDLC. Table 2-1 describes the characteristics

SP 800-30 Page 4

of each SDLC phase and indicates how risk management can be performed in support of each

Table 2-1 Integration of Risk Management into the SDLC

SDLC Phases Phase Characteristics Support from Risl(
l\/lanagement Activities

Phase 1—Initiation The need for an IT system is
expressed and the purpose and
scope of the IT system is

• Identified risks are used to

support the development of the
system requirements, including

security requirements, and a
security concept of operations


Phase 2—Development or

The IT system is designed,
purchased, programmed,
developed, or otherwise


• The risks identified during this
phase can be used to support

the security analyses of the IT

system that may lead to
architecture and design trade-
offs during system


Phase 3—Implementation The system security features
should be configured, enabled,

tested, and verified

• The risk management process
supports the assessment of the

system implementation against

its requirements and within its

modeled operational
environment. Decisions

regarding risks identified must

be made prior to system

Phase 4—Operation or

The system performs its
functions. Typically the system is

being modified on an ongoing

basis through the addition of

hardware and software and by

changes to organizational

processes, policies, and

• Risk management activities are
performed for periodic system

reauthorization (or

reaccreditation) or whenever
major changes are made to an
IT system in its operational,

production environment (e.g.,

new system interfaces)

Phase 5—Disposal This phase may involve the
disposition of information,

hardware, and software.
Activities may include moving,
archiving, discarding, or

destroying information and

sanitizing the hardware and


• Risk management activities
are performed for system

components that will be
disposed of or replaced to

ensure that the hardware and

software are properly disposed

of, that residual data is

appropriately handled, and that

system migration is conducted

in a secure and systematic

SP 800-30 Page 5


Risk management is a management responsibility. This section describes the key roles of the
personnel who should support and participate in the risk management process.

• Senior Management. Senior management, under the standard of due care and
ultimate responsibility for mission accomplishment, must ensure that the necessary

resources are effectively applied to develop the capabilities needed to accomplish the

mission. They must also assess and incorporate results of the risk assessment activity
into the decision making process. An effective risk management program that
assesses and mitigates IT-related mission risks requires the support and involvement

of senior management.

• Chief Information Officer (CIO). The CIO is responsible for the agency’s IT
planning, budgeting, and performance including its information security components.

Decisions made in these areas should be based on an effective risk management

• System and Information Owners. The system and information owners are
responsible for ensuring that proper controls are in place to address integrity,

confidentiality, and availability of the IT systems and data they own. Typically the

system and information owners are responsible for changes to their IT systems. Thus,

they usually have to approve and sign off on changes to their IT systems (e.g., system

enhancement, major changes to the software and hardware). The system and

information owners must therefore understand their role in the risk management

process and fully support this process.

• Business and Functional Managers. The managers responsible for business
operations and IT procurement process must take an active role in the risk

management process. These managers are the individuals with the authority and

responsibility for making the trade-off decisions essential to mission accomplishment.

Their involvement in the risk management process enables the achievement of proper

security for the IT systems, which, if managed properly, will provide mission

effectiveness with a minimal expenditure of resources.

• ISSO. IT security program managers and computer security officers are responsible

for their organizations’ security programs, including risk management. Therefore,

they play a leading role in introducing an appropriate, structured methodology to help

identify, evaluate, and minimize risks to the IT systems that support their

organizations’ missions. ISSOs also act as major consultants in support of senior

management to ensure that this activity takes place on an ongoing basis.

• IT Security Practitioners. IT security practitioners (e.g., network, system,

application, and database administrators; computer specialists; security analysts;

security consultants) are responsible for proper implementation of security

requirements in their IT systems. As changes occur in the existing IT system

environment (e.g., expansion in network connectivity, changes to the existing

infrastructure and organizational policies, introduction of new technologies), the IT

security practitioners must support or use the risk management process to identify and

assess new potential risks and implement new security controls as needed to

safeguard their IT systems.

SP 800-30 Page 6

• Security Awareness Trainers (Security/Subject Matter Professionals). The

organization’s personnel are the users of the IT systems. Use of the IT systems and

data according to an organization’s policies, guidelines, and rules of behavior is

critical to mitigating risk and protecting the organization’s IT resources. To minimize
risk to the IT systems, it is essential that system and application users be provided

with security awareness training. Therefore, the IT security trainers or

security/subject matter professionals must understand the risk management process so

that they can develop appropriate training materials and incorporate risk assessment

into training programs to educate the end users.

SP 800-30 Page 7


Risk assessment is the first process in the risk management methodology. Organizations use risk

assessment to determine the extent of the potential threat and the risk associated with an IT

system throughout its SDLC. The output of this process helps to identify appropriate controls for

reducing or eliminating risk during the risk mitigation process, as discussed in Section 4.

Risk is a function of the likelihood of a given threat-source’s exercising a particular potential

vulnerability, and the resulting impact of that adverse event on the organization.

To determine the likelihood of a future adverse event, threats to an IT system must be analyzed

in conjunction with the potential vulnerabilities and the controls in place for the IT system.

Impact refers to the magnitude of harm that could be caused by a threat’s exercise of a

vulnerability. The level of impact is governed by the potential mission impacts and in turn

produces a relative value for the IT assets and resources affected (e.g., the criticality and

sensitivity of the IT system components and data). The risk assessment methodology

encompasses nine primary steps, which are described in Sections 3.1 through 3.9

• Step 1—System Characterization (Section 3.1)
• Step 2—^Threat Identification (Section 3.2)
• Step 3—^Vulnerability Identification (Section 3.3)
• Step A—Control Analysis (Section 3.4)
• Step 5—Likelihood Determination (Section 3.5)
• Step 6—Impact Analysis (Section 3.6)
• Step 7—Risk Determination (Section 3.7)
• Step 8—Control Recommendations (Section 3.8)
• Step 9—Results Documentation (Section 3.9).

Steps 2, 3, 4, and 6 can be conducted in parallel after Step 1 has been completed. Figure 3-1

depicts these steps and the inputs to and outputs from each step.

SP 800-30 Pages

Input Risk Assessment Activities Output

• Hardware

• Software

• System interfaces

• Data and information

• People

^» System mission

‘ History of system attack

‘ Data from intelligence

agencies, NIPC, OIG.

FedCIRC, mass media.

• Reports from prior risk


• Any audit comments
• Security requirements

• Security test results

> Current


‘ Planned controls

• Threat-source motivation

• Threat capacity

• Nahire of vulnerability

• Current controls

• Mission impact


• Asset criticality assessment

• Data criticality

• Data sensitivity

‘ Likelihood of threat


‘ Magnitude of impact

‘ Adequacy of plaimed or
current controls

Step 1.

System Characterization

Step 2.

Threat Identification


Step 3.

->| Vulnerability Identification

Step 4. Control Analysis


Step 6. Impact Analysis

• Loss of


• Loss of


• Loss of


Step 7. Risk Determination

Step 9.

Results Documentation

• System Boundary

• System Functions

• System and Data


• System and Data


Threat Statement

List of Potential


List of Current and

Planned Controls

Step 5.


Likelihood Determination

Likelihood Rating

Impact Rating

Risks and

Associated Risk



Step 8. — Recommended
Control Recommendations Controls

Risk Assessment


Figure 3-1. Risk Assessment Methodology Flowchart

SP 800-30 Page 9


In assessing risks for an IT system, the first step is to define the scope of the effort. In this step,

the boundaries of the IT system are identified, along with the resources and the information that

constitute the system. Characterizing an IT system establishes the scope of the risk assessment

effort, delineates the operational authorization (or accreditation) boundaries, and provides

information (e.g., hardware, software, system connectivity, and responsible division or support

personnel) essential to defining the risk.

Section 3.1.1 describes the system-related information used to characterize an IT system and its

operational environment. Section 3.1.2 suggests the information-gathering techniques that can

be used to solicit information relevant to the IT system processing


The methodology described in this document can be applied to assessments of single or multiple,
interrelated systems. In the latter case, it is important that the domain of interest and all interfaces

and dependencies be well defined prior to applying the methodology.

3.1.1 System-Related Information

Identifying risk for an IT system requires a keen understanding of the system’s processing

environment. The person or persons who conduct the risk assessment must therefore first collect
system-related information, which is usually classified as follows:

• Hardware
• Software

• System interfaces (e.g., internal and external connectivity)

• Data and information

• Persons who support and use the IT system

• System mission (e.g., the processes performed by the IT system)

• System and data criticality (e.g., the system’s value or importance to an organization)

• System and data sensitivity.^

Additional information related to the operational environmental of the IT system and its data

includes, but is not limited to, the following:

• The functional requirements of the IT system

• Users of the system (e.g., system users who provide technical support to the IT
system; application users who use the IT system to perform business functions)

• System security policies governing the IT system (organizational policies, federal

requirements, laws, industry practices)

• System security architecture

^ The level of protection required to maintain system and data integrity, confidentiality, and availability.

SP 800-30 Page 10

• Current network topology (e.g., network diagram)

• Information storage protection that safeguards system and data availability, integrity,

and confidentiality

• Flow of information pertaining to the IT system (e.g., system interfaces, system input

and output flowchart)

• Technical controls used for the IT system (e.g., built-in or add-on security product

that supports identification and authentication, discretionary or mandatory access

control, audit, residual information protection, encryption methods)

• Management controls used for the IT system (e.g., rules of behavior, security

• Operational controls used for the IT system (e.g., personnel security, backup,

contingency, and resumption and recovery operations; system maintenance; off-site

storage; user account establishment and deletion procedures; controls for segregation

of user functions, such as privileged user access versus standard user access)

• Physical security environment of the IT system (e.g., facility security, data center


• Environmental security implemented for the IT system processing environment (e.g.,

controls for humidity, water, power, pollution, temperature, and chemicals).

For a system that is in the initiation or design phase, system information can be derived from the

design or requirements document. For an IT system under development, it is necessary to define

key security rules and attributes planned for the future IT system. System design documents and

the system security plan can provide useful information about the security of an IT system that is

in development.

For an operational IT system, data is collected about the IT system in its production

environment, including data on system configuration, connectivity, and documented and

undocumented procedures and practices. Therefore, the system description can be based on the

security provided by the underlying infrastructure or on future security plans for the IT system.

3.1.2 Information-Gathering Techniques

Any, or a combination, of the following techniques can be used in gathering information relevant

to the IT system within its operational boundary:

• Questionnaire. To collect relevant information, risk assessment personnel can

develop a questionnaire concerning the management and operational controls planned

or used for the IT system. This questionnaire should be distributed to the applicable

technical and nontechnical management personnel who are designing or supporting
the IT system. The questionnaire could also be used during on-site visits and


• On-site Interviews. Interviews with IT system support and management personnel

can enable risk assessment personnel to collect useful information about the IT

system (e.g., how the system is operated and managed). On-site visits also allow risk

SP 800-30 Page 1


assessment personnel to observe and gather information about the physical,

environmental, and operational security of the IT system. Appendix A contains
sample interview questions asked during interviews with site personnel to achieve a

better understanding of the operational characteristics of an organization. For

systems still in the design phase, on-site visit would be face-to-face data gathering

exercises and could provide the opportunity to evaluate the physical environment in

which the IT system will operate.

• Document Review. Policy documents (e.g., legislative documentation, directives),
system documentation (e.g., system user guide, system administrative manual,

system design and requirement document, acquisition document), and security-related

documentation (e.g., previous audit report, risk assessment report, system test results,

system security plan^, security policies) can provide good information about the

security controls used by and planned for the IT system. An organization’s mission
impact analysis or asset criticality assessment provides information regarding system

and data criticality and sensitivity.

• Use of Automated Scanning Tool. Proactive technical methods can be used to
collect system information efficiently. For example, a network mapping tool can

identify the services that run on a large group of hosts and provide a quick way of
building individual profiles of the target IT system(s).

Information gathering can be conducted throughout the risk assessment process, from Step 1

(System Characterization) through Step 9 (Results Documentation).

Outputfrom Step 1—Characterization ofthe IT system assessed, a goodpicture ofthe IT
system environment, and delineation ofsystem boundary


A threat is the potential for a particular threat-source to successfully exercise a particular
vulnerability. A vulnerability is a weakness that can
be accidentally triggered or intentionally exploited. A
threat-source does not present a risk when there is no

vulnerability that can be exercised. In determining the

likelihood of a threat (Section 3.5), one must consider

threat-sources, potential vulnerabilities (Section 3.3),

and existing controls (Section 3.4).

Threat: The potential for a threat-

source to exercise (accidentally trigger

or intentionally exploit) a specific


3.2.1 Threat-Source Identification

The goal of this step is to identify the potential

threat-sources and compile a threat statement

listing potential threat-sources that are applicable

to the IT system being evaluated.

Threat-Source: Either (1) intent and method

targeted at the intentional exploitation of a

vulnerability or (2) a situation and method

that may accidentally trigger a vulnerability.

^ During the initial phase, a risk assessment could be used to develop the initial system security plan.

SP 800-30 Page 12

A threat-source is defined as any
circumstance or event with the

potential to cause harm to an IT

system. The common threat-
sources can be natural, human, or


In assessing threat-sources, it is

important to consider all potential

threat-sources that could cause

harm to an IT system and its

processing environment. For

example, although the threat

statement for an IT system

located in a desert may not
include “natural flood” because

of the low likelihood of such an event’s occurring, environmental threats such as a bursting pipe

can quickly flood a computer room and cause damage to an organization’s IT assets and
resources. Humans can be threat-sources through intentional acts, such as deliberate attacks by
malicious persons or disgruntled employees, or unintentional acts, such as negligence and errors.

A deliberate attack can be either (1) a malicious attempt to gain unauthorized access to an IT
system (e.g., via password guessing) in order to compromise system and data integrity,

availability, or confidentiality or (2) a benign, but nonetheless purposeful, attempt to circumvent

system security. One example of the latter type of deliberate attack is a programmer’s writing a
Trojan horse program to bypass system security in order to “get the job done.”

3.2.2 Motivation and Tlireat Actions

Motivation and the resources for carrying out an attack make humans potentially dangerous

threat-sources. Table 3-1 presents an overview of many of today’s common human threats, their
possible motivations, and the methods or threat actions by which they might carry out an attack.

This information will be useful to organizations studying their human threat environments and
customizing their human threat statements. In addition, reviews of the history of system break-
ins; security violation reports; incident reports; and interviews with the system administrators,

help desk personnel, and user community during information gathering will help identify human
threat-sources that have the potential to harm an IT system and its data and that may be a concern
where a vulnerability exists.

Common Threat-Sources

Natural Threats—^Floods, earthquakes, tornadoes,
landslides, avalanches, electrical storms, and other such


« Human Threats—^Events that are either enabled by or
caused by human beings, such as unintentional acts
(inadvertent data entry) or deliberate actions (network

based attacks, malicious software upload, unauthorized

access to confidential information),

Environmental Threats—Long-term power failure,
pollution, chemicals, liquid leakage.

  • SP800-30
  • Page 13

    Table 3-1. Human Threats: Threat-Source, Motivation, and Threat Actions

    Threat-Source Motivation Threat Actions

    Hacker, cracker




    • Hacking

    • Social engineering

    • System intrusion, break-ins

    • Unauthorized system access

    Computer criminal

    Destruction of information

    lllonf)! information Hicolociiro

    Monetary gain

    Unauthorized data alteration

    • Computer crime (e.g., cyber

    • Fraudulent act (e.g., replay,

    impersonation, interception)

    • Information bribery

    • Spoofing

    • System intrusion






    • Bomb/Terrorism

    • Information warfare

    • System attack (e.g., distributed
    denial of service)

    • System penetration

    • System tampering

    Industrial espionage

    (companies, foreign
    novprnmpnt^ nthprUWUI 1 II 1 1^1 IIO, V/il Iwl
    government interests)

    Competitive advantage

    Economic espionage

    • Economic exploitation

    • Information theft

    • Intrusion on personal privacy

    • Social engineering
    • System penetration
    • Unauthorized system access

    (access to classified, proprietary,

    and/or technology-related


    Insiders (poorly trained,

    disgruntled, malicious,

    negligent, dishonest, or

    terminated employees)




    Monetary gain

    Unintentional errors and
    omissions (e.g., data entry

    error, programming error)

    • Assault on an employee

    • Blackmail

    • Browsing of proprietary


    • Computer abuse

    • Fraud and theft

    • Information bribery

    • Input of falsified, corrupted data

    • Interception

    • Malicious code (e.g., virus, logic
    bomb, Trojan horse)

    • Sale of personal information

    • System bugs

    • System intrusion

    • System sabotage

    • Unauthorized system access

    An estimate of the motivation, resources, and capabilities that may be required to carry out a
    successful attack should be developed after the potential threat-sources have been identified, in

    order to determine the likelihood of a threat’s exercising a system vulnerability, as described in

    Section 3.5.

    SP 800-30 Page 14



    The threat statement, or the list of potential threat-sources, should be tailored to the individual

    organization and its processing environment (e.g., end-user computing habits). In general,

    information on natural threats (e.g., floods, earthquakes, storms) should be readily available.

    Known threats have been identified by many government and private sector organizations.
    Intrusion detection tools also are becoming more prevalent, and government and industry

    organizations continually collect data on security events, thereby improving the ability to

    realistically assess threats. Sources of information include, but

    are not limited to, the following:

    • Intelligence agencies (for example, the Federal Bureau of Investigation’s National

    Infrastructure Protection Center)

    • Federal Computer Incident Response Center (FedCIRC)

    • Mass media, particularly Web-based resources such as SecurityFocus.com,
    SecurityWatch.com, SecurityPortal.com, and SANS.org.

    Outputfrom Step 2—A threat statement containing a list ofthreat-sources that could exploit
    system vulnerabilities


    The analysis of the threat to an IT system

    must include an analysis of the

    vulnerabilities associated with the system

    environment. The goal of this step is to

    develop a list of system vulnerabilities

    (flaws or weaknesses) that could be

    exploited by the potential threat-sources.

    Table 3-2 presents examples of vulnerability/threat pairs.

    Table 3-2. Vulnerability/Threat Pairs

    Vulnerability Threat-Source Threat Action

    Terminated employees’ system

    identifiers (ED) are not removed

    from the system

    Terminated employees Dialing into the company’s

    network and accessing

    company proprietary data

    Company firewall allows inbound
    telnet, and guest YD is enabled on

    XYZ server

    Unauthorized users (e.g.,

    hackers, terminated

    employees, computer

    criminals, terrorists)

    Using telnet to XYZ server
    and browsing system files

    with the guest ID

    The vendor has identified flaws in

    the security design of the system;

    however, new patches have not
    been applied to the system

    Unauthorized users (e.g.,

    hackers, disgruntled

    employees, computer
    criminals, terrorists)

    Obtaining unauthorized

    access to sensitive system

    files based on known
    system vulnerabilities

    Vulnerability: A flaw or weakness in system
    security procedures, design, implementation, or

    internal controls that could be exercised

    (accidentally triggered or intentionally exploited)

    and result in a security breach or a violation of the

    system’s security poUcy.

    SP 800-30 Page 15

    Vulnerability Threat-Source Threat Action

    Data center uses water sprinklers

    to suppress fire; tarpaulins to

    protect hardware and equipment

    from water damage are not in


    Fire, negligent persons Water sprinklers being

    turned on in the data center

    Recommended methods for identifying system vulnerabilities are the use of vulnerability
    sources, the performance of system security testing, and the development of a security

    requirements checklist.

    It should be noted that the types of vulnerabilities that will exist, and the methodology needed to

    determine whether the vulnerabilities are present, will usually vary depending on the nature of

    the IT system and the phase it is in, in the SDLC:

    • If the IT system has not yet been designed, the search for vulnerabilities should focus

    on the organization’s security policies, planned security procedures, and system

    requirement definitions, and the vendors’ or developers’ security product analyses

    (e.g., white papers).

    • If the IT system is being implemented, the identification of vulnerabilities should be

    expanded to include more specific information, such as the planned security features

    described in the security design documentation and the results of system certification

    test and evaluation.

    • If the IT system is operational, the process of identifying vulnerabilities should

    include an analysis of the IT system security features and the security controls,

    technical and procedural, used to protect the system.

    3.3.1 Vulnerability Sources

    The technical and nontechnical vulnerabilities associated with an IT system’s processing

    environment can be identified via the information-gathering techniques described in Section

    3.1.2. A review of other industry sources (e.g., vendor Web pages that identify system bugs and
    flaws) will be useful in preparing for the interviews and in developing effective questionnaires to

    identify vulnerabilities that may be applicable to specific IT systems (e.g., a specific version of a
    specific operating system). The Internet is another source of information on known system
    vulnerabilities posted by vendors, along with hot fixes, service packs, patches, and other

    remedial measures that may be applied to eliminate or mitigate vulnerabilities. Documented
    vulnerability sources that should be considered in a thorough vulnerability analysis include, but

    are not limited to, the following:

    • Previous risk assessment documentation of the IT system assessed

    • The IT system’s audit reports, system anomaly reports, security review reports, and

    system test and evaluation reports

    • Vulnerability lists, such as the NIST I-CAT vulnerability database

    SP 800-30 Page 16

    • Security advisories, such as FedCIRC and the Department of Energy’s Computer
    Incident Advisory Capability bulletins

    • Vendor advisories

    • Commercial computer incident/emergency response teams and post lists (e.g.,
    SecurityFocus.com forum mailings)

    • Information Assurance Vulnerability Alerts and bulletins for military systems

    • System software security analyses.

    3.3.2 System Security Testing

    Proactive methods, employing system testing, can be used to identify system vulnerabilities

    efficiently, depending on the criticality of the IT system and available resources (e.g., allocated

    funds, available technology, persons with the expertise to conduct the test). Test methods


    • Automated vulnerability scanning tool

    • Security test and evaluation (ST&E)

    • Penetration testing.*^

    The automated vulnerability scanning tool is used to scan a group of hosts or a network for

    known vulnerable services (e.g., system allows anonymous File Transfer Protocol [FTP],
    sendmail relaying). However, it should be noted that some of the potential vulnerabilities

    identified by the automated scanning tool may not represent real vulnerabilities in the context of
    the system environment. For example, some of these scanning tools rate potential vulnerabilities

    without considering the site’s environment and requirements. Some of the “vulnerabilities”
    flagged by the automated scanning software may actually not be vulnerable for a particular site
    but may be configured that way because their environment requires it. Thus, this test method
    may produce false positives.

    ST&E is another technique that can be used in identifying IT system vulnerabilities during the
    risk assessment process. It includes the development and execution of a test plan (e.g., test

    script, test procedures, and expected test results). The purpose of system security testing is to

    test the effectiveness of the security controls of an IT system as they have been applied in an

    operational environment. The objective is to ensure that the applied controls meet the approved

    security specification for the software and hardware and implement the organization’s security

    policy or meet industry standards.

    Penetration testing can be used to complement the review of security controls and ensure that

    different facets of the IT system are secured. Penetration testing, when employed in the risk

    assessment process, can be used to assess an IT system’s ability to withstand intentional attempts

    to circumvent system security. Its objective is to test the IT system from the viewpoint of a

    threat-source and to identify potential failures in the IT system protection schemes.

    The NIST SP draft 800-42, Network Security Testing Overview, describes the methodology for network system

    testing and the use of automated tools.

    SP 800-30 Page 17

    The results of these types of optional security testing will help identify a system’s vulnerabilities.

    3.3.3 Development of Security Requirements Cliecklist

    During this step, the risk assessment personnel determine whether the security requirements

    stipulated for the IT system and collected during system characterization are being met by

    existing or planned security controls. Typically, the system security requirements can be

    presented in table form, with each requirement accompanied by an explanation of how the
    system’s design or implementation does or does not satisfy that security control requirement.

    A security requirements checklist contains the basic security standards that can be used to
    systematically evaluate and identify the vulnerabilities of the assets (personnel, hardware,

    software, information), nonautomated procedures, processes, and information transfers

    associated with a given IT system in the following security areas:

    • Management

    • Operational

    • Technical.

    Table 3-3 lists security criteria suggested for use in identifying an IT system’s vulnerabilities in

    each security area.

    Table 3-3. Security Criteria

    Security Area Security Criteria

    Management Security
    • Assignment of responsibilities

    • Continuity of support

    • Incident response capability

    • Periodic review of security controls

    • Personnel clearance and background investigations

    • Risk assessment

    • Security and technical training

    • Separation of duties

    • System authorization and reauthorization

    • System or application security plan

    Operational Security
    • Control of air-borne contaminants (smoke, dust, chemicals)

    • Controls to ensure the quality of the electrical power supply

    • Data media access and disposal

    • External data distribution and labeling

    • Facility protection (e.g., computer room, data center, office)

    • Humidity


    • Temperature control

    • Workstations, laptops, and stand-alone personal computers

    SP 800-30 Page 18

    Security Area Security Criteria

    Technical Security
    • Communications (e.g., dial-in, system interconnection, routers)

    • Cryptography

    • Discretionary access control

    • Identification and authentication

    • Intrusion detection

    • Object reuse

    • System audit

    The outcome of this process is the security requirements checklist. Sources that can be used in

    compiUng such a checklist include, but are not limited to, the following government regulatory

    and security directives and sources applicable to the IT system processing environment:

    • CSA of 1987

    • Federal Information Processing Standards Publications

    • OMB November 2000 Circular A-130

    • Privacy Act of 1974

    • System security plan of the IT system assessed

    • The organization’s security policies, guidelines, and standards

    • Industry practices.

    The NIST SP 800-26, Security Self-Assessment Guidefor Information Technology Systems,
    provides an extensive questionnaire containing specific control objectives against which a

    system or group of interconnected systems can be tested and measured. The control objectives

    are abstracted directly from long-standing requirements found in statute, policy, and guidance on

    security and privacy.

    The results of the checklist (or questionnaire) can be used as input for an evaluation of

    compliance and noncompliance. This process identifies system, process, and procedural

    weaknesses that represent potential vulnerabilities.

    Outputfrom Step 3—A list ofthe system vulnerabilities (observations)”^ that could be exercised
    by the potential threat-sources



    The goal of this step is to analyze the controls that have been implemented, or are planned for

    implementation, by the organization to minimize or eliminate the likelihood (or probability) of a

    threat’s exercising a system vulnerability.

    Because the risk assessment report is not an audit report, some sites may prefer to address the identified
    vulnerabiUties as observations instead of findings in the risk assessment report.

    SP 800-30 Page 19

    To derive an overall likelihood rating that indicates the probability that a potential vulnerability
    may be exercised within the construct of the associated threat environment (Step 5 below), the
    implementation of current or planned controls must be considered. For example, a vulnerability

    (e.g., system or procedural weakness) is not likely to be exercised or the likelihood is low if there

    is a low level of threat-source interest or capability or if there are effective security controls that

    can eliminate, or reduce the magnitude of, harm.

    Sections 3.4.1 through 3.4.3, respectively, discuss control methods, control categories, and the

    control analysis technique.

    3.4.1 Control Methods

    Security controls encompass the use of technical and nontechnical methods. Technical controls

    are safeguards that are incorporated into computer hardware, software, or firmware (e.g., access

    control mechanisms, identification and authentication mechanisms, encryption methods,

    intrusion detection software). Nontechnical controls are management and operational controls,

    such as security policies; operational procedures; and personnel, physical, and environmental


    3.4.2 Control Categories

    The control categories for both technical and nontechnical control methods can be further

    classified as either preventive or detective. These two subcategories are explained as follows:

    • Preventive controls inhibit attempts to violate security policy and include such

    controls as access control enforcement, encryption, and authentication.

    • Detective controls warn of violations or attempted violations of security policy and

    include such controls as audit trails, intrusion detection methods, and checksums.

    Section 4.4 further explains these controls from the implementation standpoint. The

    implementation of such controls during the risk mitigation process is the direct result of the

    identification of deficiencies in current or planned controls during the risk assessment process

    (e.g., controls are not in place or controls are not properly implemented).

    3.4.3 Control Analysis Technique

    As discussed in Section 3.3.3, development of a security requirements checklist or use of an

    available checklist will be helpful in analyzing controls in an efficient and systematic manner.

    The security requirements checklist can be used to validate security noncompliance as well as

    compliance. Therefore, it is essential to update such checklists to reflect changes in an

    organization’s control environment (e.g., changes in security policies, methods, and

    requirements) to ensure the checklist’s validity.

    Outputfrom Step 4—List ofcurrent orplanned controls usedfor the IT system to mitigate the
    likelihood ofa vulnerability’s being exercised and reduce the impact ofsuch an adverse event

    SP 800-30 Page 20


    To derive an overall likelihood rating that indicates the probability that a potential vulnerability
    may be exercised within the construct of the associated threat environment, the following
    governing factors must be considered:

    • Threat-source motivation and capability

    • Nature of the vulnerability

    • Existence and effectiveness of current


    The likelihood that a potential vulnerability could be exercised by a given threat-source can be

    described as high, medium, or low. Table 3-4 below describes these three likelihood levels.

    Table 3-4. Likelihood Definitions

    Likelihood Level Likelihood Definition

    High The threat-source is highly motivated and sufficiently capable, and controls to
    prevent the vulnerability from being exercised are ineffective.

    Medium The threat-source is motivated and capable, but controls are in place that may
    impede successful exercise of the vulnerability.

    Low The threat-source lacks motivation or capability, or controls are in place to
    prevent, or at least significantly impede, the vulnerability from being exercised.

    Outputfrom Step 5—Likelihood rating (High, Medium, Low)


    The next major step in measuring level of risk is to determine the adverse impact resulting from

    a successful threat exercise of a vulnerability. Before beginning the impact analysis, it is

    necessary to obtain the following necessary information as discussed in Section 3.1.1:

    • System mission (e.g., the processes performed by the IT system)
    • System and data criticality (e.g., the system’s value or importance to an organization)

    • System and data sensitivity.

    This information can be obtained from existing organizational documentation, such as the

    mission impact analysis report or asset criticality assessment report. A mission impact analysis
    (also known as business impact analysis [BIA] for some organizations) prioritizes the impact
    levels associated with the compromise of an organization’s information assets based on a

    qualitative or quantitative assessment of the sensitivity and criticality of those assets. An asset
    criticality assessment identifies and prioritizes the sensitive and critical organization information

    assets (e.g., hardware, software, systems, services, and related technology assets) that support the

    organization’s critical missions.

    SP 800-30 Page 21

    If this documentation does not exist or such assessments for the organization’s IT assets have not

    been performed, the system and data sensitivity can be determined based on the level of

    protection required to maintain the system and data’s availability, integrity, and confidentiality.

    Regardless of the method used to determine how sensitive an IT system and its data are, the
    system and information owners are the ones responsible for determining the impact level for

    their own system and information. Consequently, in analyzing impact, the appropriate approach
    is to interview the system and information owner(s).

    Therefore, the adverse impact of a security event can be described in terms of loss or degradation

    of any, or a combination of any, of the following three security goals: integrity, availability, and

    confidentiality. The following list provides a brief description of each security goal and the

    consequence (or impact) of its not being met:

    • Loss of Integrity. System and data integrity refers to the requirement that

    information be protected from improper modification. Integrity is lost if unauthorized

    changes are made to the data or IT system by either intentional or accidental acts. If
    the loss of system or data integrity is not corrected, continued use of the contaminated

    system or corrupted data could result in inaccuracy, fraud, or erroneous decisions.

    Also, violation of integrity may be the first step in a successful attack against system
    availability or confidentiality. For all these reasons, loss of integrity reduces the

    assurance of an IT system.

    • Loss of Availability. If a mission-critical IT system is unavailable to its end users,

    the organization’s mission may be affected. Loss of system functionality and
    operational effectiveness, for example, may result in loss of productive time, thus
    impeding the end users’ performance of their functions in supporting the

    organization’s mission.

    • Loss of Confidentiality. System and data confidentiality refers to the protection of

    information from unauthorized disclosure. The impact of unauthorized disclosure of

    confidential information can range from the jeopardizing of national security to the

    disclosure of Privacy Act data. Unauthorized, unanticipated, or unintentional

    disclosure could result in loss of public confidence, embarrassment, or legal action

    against the organization.

    Some tangible impacts can be measured quantitatively in lost revenue, the cost of repairing the
    system, or the level of effort required to correct problems caused by a successful threat action.

    Other impacts (e.g., loss of public confidence, loss of credibility, damage to an organization’s

    interest) cannot be measured in specific units but can be qualified or described in terms of high,

    medium, and low impacts. Because of the generic nature of this discussion, this guide designates

    and describes only the qualitative categories—high, medium, and low impact (see Table 3.5).

    SP 800-30 Page 22

    Table 3-5. Magnitude of Impact DeHnitions

    Magnitude of


    impact Definition


    Exercise of tlie vulnerability (1) may result in the highly costly loss of
    major tangible assets or resources; (2) may significantly violate, harm, or
    impede an organization’s mission, reputation, or interest; or (3) may result
    in human death or serious injury.


    Exercise of the vulnerability (1) may result in the costly loss of tangible
    assets or resources; (2) may violate, harm, or impede an organization’s
    mission, reputation, or interest; or (3) may result in human injury.


    Exercise of the vulnerability (1) may result in the loss of some tangible
    assets or resources or (2) may noticeably affect an organization’s
    mission, reputation, or interest.

    Quantitative versus Qualitative Assessment

    In conducting the impact analysis, consideration should be given to the advantages and

    disadvantages of quantitative versus qualitative assessments. The main advantage of the

    qualitative impact analysis is that it prioritizes the risks and identifies areas for immediate

    improvement in addressing the vulnerabilities. The disadvantage of the qualitative analysis is

    that it does not provide specific quantifiable measurements of the magnitude of the impacts,

    therefore making a cost-benefit analysis of any recommended controls difficult.

    The major advantage of a quantitative impact analysis is that it provides a measurement of the

    impacts’ magnitude, which can be used in the cost-benefit analysis of recommended controls.

    The disadvantage is that, depending on the numerical ranges used to express the measurement,

    the meaning of the quantitative impact analysis may be unclear, requiring the result to be
    interpreted in a qualitative manner. Additional factors often must be considered to determine the

    magnitude of impact. These may include, but are not limited to

    • An estimation of the frequency of the threat-source’s exercise of the vulnerability
    over a specified time period (e.g., 1 year)

    • An approximate cost for each occurrence of the threat-source’s exercise of the

    • A weighted factor based on a subjective analysis of the relative impact of a specific
    threat’s exercising a specific vulnerability.

    Outputfrom Step 6—Magnitude ofimpact (High, Medium, or Low)

    SP 800-30 Page 23


    The purpose of this step is to assess the level of risk to the IT system. The determination of risk

    for a particular threat/vulnerability pair can be expressed as a function of

    • The likelihood of a given threat-source’s attempting to exercise a given vulnerability

    • The magnitude of the impact should a threat-source successfully exercise the

    • The adequacy of planned or existing security controls for reducing or eliminating


    To measure risk, a risk scale and a risk-level matrix must be developed. Section 3.7.1 presents a
    standard risk-level matrix; Section 3.7.2 describes the resulting risk levels.

    3.7.1 Risk-Level Matrix

    The final determination of mission risk is derived by multiplying the ratings assigned for threat

    likelihood (e.g., probability) and threat impact. Table 3.6 below shows how the overall risk
    ratings might be determined based on inputs from the threat likelihood and threat impact

    categories. The matrix below is a 3 x 3 matrix of threat likelihood (High, Medium, and Low)
    and threat impact (High, Medium, and Low). Depending on the site’s requirements and the

    granularity of risk assessment desired, some sites may use a4x4ora5x5 matrix. The latter
    can include a Very Low /Very High threat likelihood and a Very Low/Very High threat impact to
    generate a Very LowA^ery High risk level. A “Very High” risk level may require possible
    system shutdown or stopping of all IT system integration and testing efforts.

    The sample matrix in Table 3-6 shows how the overall risk levels of High, Medium, and Low are
    derived. The determination of these risk levels or ratings may be subjective. The rationale for
    this justification can be explained in terms of the probability assigned for each threat likelihood

    level and a value assigned for each impact level. For example,

    • The probability assigned for each threat likelihood level is 1.0 for High, 0.5 for

    Medium, 0.1 for Low

    • The value assigned for each impact level is 100 for High, 50 for Medium, and 10 for


    SP 800-30 Page 24

    Table 3-6. Risk-Level Matrix










    High{^.0) Low Medium High

    10X1.0 = 10 50 X 1 .0 = 50 100 X 1.0 = 1


    Medium (0.5) Low Medium Medium

    10X0.5 = 5 50 X 0.5 = 25 100X0.5 = 50

    Low (0.1) Low Low Low

    10X0.1 = 1 50X0.1 = 5 100X0.1 = 10

    Risk Scale: High (>50 to 100); Medium (>10to 50); Low (1 to 10)^

    3.7.2 Description of Risk Level

    Table 3-7 describes the risk levels shown in the above matrix. This risk scale, with its ratings of

    High, Medium, and Low, represents the degree or level of risk to which an IT system, facility, or

    procedure might be exposed if a given vulnerability were exercised. The risk scale also presents

    actions that senior management, the mission owners, must take for each risk level.

    Table 3-7. Risk Scale and Necessary Actions

    Risk Level Risk Description and Necessary Actions


    If an observation or finding is evaluated as a higli risk, there is a

    strong need for corrective measures. An existing systenn may
    continue to operate, but a corrective action plan must be put in place

    as soon as possible.

    If an observation is rated as medium risk, corrective actions are
    needed and a plan must be developed to incorporate these actions
    within a reasonable period of time.

    If an observation is described as low risk, the system’s DAA must
    determine whether corrective actions are still required or decide to

    accept the risk.

    Outputfrom Step 7—Risk level (High, Medium, Low)

    If the level indicated on certain items is so low as to be deemed to be “negligible” or non significant (value is <1

    on risk scale of 1 to 100), one may wish to hold these aside in a separate bucket in lieu of forwarding for
    management action. This will make sure that they are not overlooked when conducting the next periodic risk
    assessment. It also establishes a complete record of all risks identified in the analysis. These risks may move to a
    new risk level on a reassessment due to a change in threat likelihood and/or impact and that is why it is critical
    that their identification not be lost in the exercise.

    SP 800-30 Page 25


    During this step of the process, controls that could mitigate or eliminate the identified risks, as

    appropriate to the organization’s operations, are provided. The goal of the recommended
    controls is to reduce the level of risk to the IT system and its data to an acceptable level. The
    following factors should be considered in recommending controls and alternative solutions to
    minimize or eliminate identified risks:

    • Effectiveness of recommended options (e.g., system compatibility)

    • Legislation and regulation

    • Organizational policy

    • Operational impact

    • Safety and reliability.

    The control recommendations are the results of the risk assessment process and provide input to
    the risk mitigation process, during which the recommended procedural and technical security
    controls are evaluated, prioritized, and implemented.

    It should be noted that not all possible recommended controls can be implemented to reduce loss.

    To determine which ones are required and appropriate for a specific organization, a cost-benefit
    analysis, as discussed in Section 4.6, should be conducted for the proposed recommended

    controls, to demonstrate that the costs of implementing the controls can be justified by the

    reduction in the level of risk. In addition, the operational impact (e.g., effect on system

    performance) and feasibility (e.g., technical requirements, user acceptance) of introducing the

    recommended option should be evaluated carefully during the risk mitigation process.

    Outputfrom Step 8—Recommendation ofcontrol(s) and alternative solutions to mitigate risk


    Once the risk assessment has been completed (threat-sources and vulnerabilities identified, risks

    assessed, and recommended controls provided), the results should be documented in an official

    report or briefing.

    A risk assessment report is a management report that helps senior management, the mission
    owners, make decisions on policy, procedural, budget, and system operational and management

    changes. Unlike an audit or investigation report, which looks for wrongdoing, a risk assessment

    report should not be presented in an accusatory manner but as a systematic and analytical

    approach to assessing risk so that senior management will understand the risks and allocate

    resources to reduce and correct potential losses. For this reason, some people prefer to address

    the threat/vulnerability pairs as observations instead of findings in the risk assessment report.

    Appendix B provides a suggested outline for the risk assessment report.

    Outputfrom Step 9—Risk assessment report that describes the threats and vulnerabilities,
    measures the risk, andprovides recommendationsfor control implementation

    SP 800-30 Page 26 I


    Risk mitigation, the second process of risk management, involves prioritizing, evaluating, and

    implementing the appropriate risk-reducing controls recommended from the risk assessment


    Because the elimination of all risk is usually impractical or close to impossible, it is the

    responsibility of senior management and functional and business managers to use the least-cost

    approach and implement the most appropriate controls to decrease mission risk to an acceptable

    level, with minimal adverse impact on the organization’s resources and mission.

    This section describes risk mitigation options (Section 4.1), the risk mitigation strategy (Section

    4.2), an approach for control implementation (Section 4.3), control categories (Section 4.4), the

    cost-benefit analysis used to justify the implementation of the recommended controls (Section

    4.5), and residual risk (Section 4.6).


    Risk mitigation is a systematic methodology used by senior management to reduce mission risk.

    Risk mitigation can be achieved through any of the following risk mitigation options:

    • Risk Assumption. To accept the potential risk and continue operating the IT system
    or to implement controls to lower the risk to an acceptable level

    • Risk Avoidance. To avoid the risk by eliminating the risk cause and/or consequence
    (e.g., forgo certain functions of the system or shut down the system when risks are

    • Risk Limitation. To limit the risk by implementing controls that minimize the
    adverse impact of a threat’s exercising a vulnerability (e.g., use of supporting,

    preventive, detective controls)

    • Risk Planning. To manage risk by developing a risk mitigation plan that prioritizes,
    implements, and maintains controls

    • Research and Acknowledgment. To lower the risk of loss by acknowledging the
    vulnerability or flaw and researching controls to correct the vulnerability

    • Risk Transference. To transfer the risk by using other options to compensate for the
    loss, such as purchasing insurance.

    The goals and mission of an organization should be considered in selecting any of these risk

    mitigation options. It may not be practical to address all identified risks, so priority should be
    given to the threat and vulnerability pairs that have the potential to cause significant mission

    impact or harm. Also, in safeguarding an organization’s mission and its IT systems, because of

    each organization’s unique environment and objectives, the option used to mitigate the risk and

    the methods used to implement controls may vary. The “best of breed” approach is to use
    appropriate technologies from among the various vendor security products, along with the
    appropriate risk mitigation option and nontechnical, administrative measures.

    SP 800-30 Page 27


    Senior management, the mission owners, knowing the potential risks and recommended controls,
    may ask, “When and under what circumstances should I take action? When shall I implement
    these controls to mitigate the risk and protect our organization?”

    The risk mitigation chart in Figure 4-1 addresses these questions. Appropriate points for
    implementation of control actions are indicated in this figure by the word YES.


    Risk 3

    Figure 4-1. Risk Mitigation Action Points

    This strategy is further articulated in the following rules of thumb, which provide guidance on

    actions to mitigate risks from intentional human threats:

    • When vulnerability (or flaw, weakness) exists — implement assurance techniques
    to reduce the likelihood of a vulnerability’s being exercised.

    • When a vulnerability can be exercised — apply layered protections, architectural
    designs, and administrative controls to minimize the risk of or prevent this


    • When the attacker’s cost is less than the potential gain -> apply protections to
    decrease an attacker’s motivation by increasing the attacker’s cost (e.g., use of system

    controls such as limiting what a system user can access and do can significantly

    reduce an attacker’s gain).

    • When loss is too great — apply design principles, architectural designs, and
    technical and nontechnical protections to limit the extent of the attack, thereby

    reducing the potential for loss.

    The strategy outlined above, with the exception of the third list item (“When the attacker’s cost

    is less than the potential gain”), also applies to the mitigation of risks arising from environmental

    SP 800-30 Page 28

    or unintentional human threats (e.g., system or user errors). (Because there is no “attacker,” no

    motivation or gain is involved.)


    When control actions must be taken, the following rule applies:

    Address the greatest risks and strivefor sufficient risk mitigation at the lowest cost, with

    minimal impact on other mission capabilities.

    The following risk mitigation methodology describes the approach to control implementation:

    • Step 1—

    Prioritize Actions

    Based on the risk levels presented in the risk assessment report, the implementation

    actions are prioritized. In allocating resources, top priority should be given to risk

    items with unacceptably high risk rankings (e.g., risk assigned a Very High or High

    risk level). These vulnerability/threat pairs will require immediate corrective action

    to protect an organization’s interest and mission.

    Outputfrom Step 1—Actions rankingfrom

    High to Low

    • Step 2—Evaluate Recommended Control Options
    The controls recommended in the risk assessment process may not be the most
    appropriate and feasible options for a specific organization and IT system. During

    this step, the feasibility (e.g., compatibility, user acceptance) and effectiveness (e.g.,

    degree of protection and level of risk mitigation) of the recommended control options

    are analyzed. The objective is to select the most appropriate control option for

    minimizing risk.

    Outputfrom Step 2—List offeasible controls

    • Step 3—

    Conduct Cost-Benefit Analysis

    To aid management in decision making and to identify cost-effective controls, a cost-
    benefit analysis is conducted. Section 4.5 details the objectives and method of

    conducting the cost-benefit analysis.

    Outputfrom Step 3—Cost-benefit analysis describing the cost and benefits of
    implementing or not implementing the controls

    • Step 4—Select Control
    On the basis of the results of the cost-benefit analysis, management determines the
    most cost-effective control(s) for reducing risk to the organization’s mission. The

    controls selected should combine technical, operational, and management control

    elements to ensure adequate security for the IT system and the organization.

    Outputfrom Step 4—Selected control(s)

    SP 800-30 Page 29

    • Step 5—

    Assign Responsibility

    Appropriate persons (in-house personnel or external contracting staff) who have the
    appropriate expertise and skill-sets to implement the selected control are identified,

    and responsibility is assigned.

    Outputfrom Step 5—List of

    responsible persons

    • Step 6—Develop a Safeguard

    Implementation Plan

    During this step, a safeguard implementation plan^ (or action plan) is developed. The
    plan should, at a minimum, contain the following information:

    – Risks (vulnerability/threat pairs) and associated risk levels (output from risk
    assessment report)

    – Recommended controls (output from risk assessment report)

    – Prioritized actions (with priority given to items with Very High and High risk


    – Selected planned controls (determined on the basis of feasibility, effectiveness,

    benefits to the organization, and cost)

    – Required resources for implementing the selected planned controls

    – Lists of responsible teams and staff

    – Start date for implementation

    – Target completion date for implementation

    – Maintenance requirements.

    The safeguard implementation plan prioritizes the implementation actions and

    projects the start and target completion dates. This plan will aid and expedite the risk

    mitigation process. Appendix C provides a sample summary table for the safeguard
    implementation plan.

    Outputfrom Step 6—Safeguard

    implementation plan

    • Step 7—^Implement Selected Control(s)
    Depending on individual situations, the implemented controls may lower the risk
    level but not eliminate the risk. Residual risk is discussed in Section 4.6.

    Outputfrom Step 7—Residual risk

    Figure 4-2 depicts the recommended methodology for risk mitigation.

    ^ NIST Interagency Report 4749, Sample Statements of Workfor Federal Computer Security Services: For Use In-

    House or Contracting Out. December 1991.

    SP 800-30 Page 30

    Input Risk Mitisation Activities Output

    • Risk levels from the

    risk assessment



    r N

    • Risk assessment
    Step 1.
    Prioritize Actions
    Step 2.

    Evaluate Recommended
    Control Options

    • Feasibility

    • Effectiveness

    Step 3.
    Conduct Cost-Benefit Analysis

    • Impact of implanaiting

    • Impact of not implementing

    • Associated costs

    Step 5.
    Assign Responsibility

    Step 6. Develop


    Implementation Plan

    • Risks and Associated Risk Levels

    • Prioritized Actions

    • Recommended Controls

    • Selected Planned Controls

    • Responsible Persons

    • Start Date

    • Target Completion Date

    • Maintenance Requirements

    Step 7.

    Implement Selected

    Actions ranking from

    High to Low

    List of possible




    Selected Controls

    List of

    responsible persons
    implementation plan

    Residual Risks

    Figure 4-2. Risk Mitigation Methodology Flowchart

    SP 800-30 Page 31


    In implementing recommended controls to mitigate risk, an organization should consider

    technical, management, and operational security controls, or a combination of such controls, to

    maximize the effectiveness of controls for their IT systems and organization. Security controls,

    when used appropriately, can prevent, limit, or deter threat-source damage to an organization’s

    The control recommendation process will involve choosing among a combination of technical,
    management, and operational controls for improving the organization’s security posture. The

    trade-offs that an organization will have to consider are illustrated by viewing the decisions

    involved in enforcing use of complex user passwords to minimize password guessing and

    cracking. In this case, a technical control requiring add-on security software may be more
    complex and expensive than a procedural control, but the technical control is likely to be more

    effective because the enforcement is automated by the system. On the other hand, a procedural
    control might be implemented simply by means of a memorandum to all concerned individuals
    and an amendment to the security guidelines for the organization, but ensuring that users

    consistently follow the memorandum and guideline will be difficult and will require security
    awareness training and user acceptance.

    This section provides a high-level overview of some of the control categories. More detailed
    guidance about implementing and planning for IT controls can be found in NIST SP 800-18,
    Guidefor Developing Security Plansfor Information Technology Systems, and NIST SP 800-12,
    An Introduction to Computer Security: The NIST Handbook.

    Sections 4.4.1 through 4.4.3 provide an overview of technical, management, and operational

    controls, respectively.

    4.4.1 Technical Security Controls

    Technical security controls for risk mitigation can be configured to protect against given types of

    threats. These controls may range from simple to complex measures and usually involve system
    architectures; engineering disciplines; and security packages with a mix of hardware, software,

    and firmware. All of these measures should work together to secure critical and sensitive data,

    information, and IT system functions. Technical controls can be grouped into the following

    major categories, according to primary purpose:

    • Support (Section Supporting controls are generic and underlie most IT

    security capabilities. These controls must be in place in order to implement other


    • Prevent (Section Preventive controls focus on preventing security breaches

    from occurring in the first place.

    • Detect and Recover (Section These controls focus on detecting and

    recovering from a security breach.

    Figure 4-3 depicts the primary technical controls and the relationships between them.

    SP 800-30 Page 32


    Cryptographic Key Managonicnl

    Seciiritv Administration i

    System Protections

    (least privilege, ohject reuse, process separalion, etc.)

    Figure 4-3. Technical Security Controls Supporting Technical Controls

    Supporting controls are, by their very nature, pervasive and interrelated with many other
    controls. The supporting controls are as follows:

    • Identification. This control provides the ability to uniquely identify users, processes,

    and information resources. To implement other security controls (e.g., discretionary
    access control [DAC], mandatory access control [MAC], accountability), it is

    essential that both subjects and objects be identifiable.

    • Cryptographic Key Management. Cryptographic keys must be securely managed
    when cryptographic functions are implemented in various other controls.
    Cryptographic key management includes key generation, distribution, storage, and


    • Security Administration. The security features of an IT system must be configured

    (e.g., enabled or disabled) to meet the needs of a specific installation and to account

    for changes in the operational environment. System security can be built into

    operating system security or the application. Commercial off-the-shelf add-on

    security products are available.

    SP 800-30 Page 33

    • System Protections. Underlying a system’s various security functional capabilities
    is a base of confidence in the technical implementation. This represents the quality of

    the implementation from the perspective both of the design processes used and of the

    manner in which the implementation was accomplished. Some examples of system
    protections are residual information protection (also known as object reuse), least
    privilege (or “need to know”), process separation, modularity, layering, and

    minimization of what needs to be trusted. Preventive Technical Controls

    These controls, which can inhibit attempts to violate security policy, include the following:

    • Authentication. The authentication control provides the means of verifying the
    identity of a subject to ensure that a claimed identity is valid. Authentication

    mechanisms include passwords, personal identification numbers, or PESfs, and

    emerging authentication technology that provides strong authentication (e.g., token,

    smart card, digital certificate, Kerberos).

    • Authorization. The authorization control enables specification and subsequent
    management of the allowed actions for a given system (e.g., the information owner or
    the database administrator determines who can update a shared file accessed by a
    group of online users).

    • Access Control Enforcement. Data integrity and confidentiality are enforced by

    access controls. When the subject requesting access has been authorized to access
    particular processes, it is necessary to enforce the defined security policy (e.g., MAC
    or DAC). These policy-based controls are enforced via access control mechanisms

    distributed throughout the system (e.g., MAC sensitivity labels; DAC file permission
    sets, access control lists, roles, user profiles). The effectiveness and the strength of

    access control depend on the correctness of the access control decisions (e.g., how the
    security rules are configured) and the strength of access control enforcement (e.g., the

    design of software or hardware security).

    • Nonrepudiation. System accountability depends on the ability to ensure that senders

    cannot deny sending information and that receivers cannot deny receiving it.

    Nonrepudiation spans both prevention and detection. It has been placed in the

    prevention category in this guide because the mechanisms implemented prevent the

    successful repudiation of an action (e.g., the digital certificate that contains the

    owner’s private key is known only to the owner). As a result, this control is typically

    applied at the point of transmission or reception.

    • Protected Communications. In a distributed system, the ability to accomplish

    security objectives is highly dependent on trustworthy communications. The

    protected communications control ensures the integrity, availability, and

    confidentiality of sensitive and critical information while it is in transit. Protected

    communications use data encryption methods (e.g., virtual private network, Internet

    Protocol Security [IPSEC] Protocol), and deployment of cryptographic technologies

    (e.g.. Data Encryption Standard [DES], Triple DES, RAS, MD4, MD5, secure hash
    standard, and escrowed encryption algorithms such as Clipper) to minimize network

    threats such as replay, interception, packet sniffing, wiretapping, or eavesdropping.


    SP 800-30 Page 34


    • Transaction Privacy. Both government and private sector systems are increasingly

    required to maintain the privacy of individuals. Transaction privacy controls (e.g.,

    Secure Sockets Layer, secure shell) protect against loss of privacy with respect to

    transactions performed by an individual. Detection and Recovery Technical Controls

    Detection controls warn of violations or attempted violations of security policy and include such

    controls as audit trails, intrusion detection methods, and checksums. Recovery controls can be

    used to restore lost computing resources. They are needed as a complement to the supporting

    and preventive technical measures, because none of the measures in these other areas is perfect.

    Detection and recovery controls include

    • Audit. The auditing of security-relevant events and the monitoring and tracking of

    system abnormalities are key elements in the after-the-fact detection of, and recovery

    from, security breaches.

    • Intrusion Detection and Containment. It is essential to detect security breaches

    (e.g., network break-ins, suspicious activities) so that a response can occur in a timely

    manner. It is also of little use to detect a security breach if no effective response can

    be initiated. The intrusion detection and containment control provides these two


    • Proof of Wholeness. The proof-of-wholeness control (e.g., system integrity tool)

    analyzes system integrity and irregularities and identifies exposures and potential

    threats. This control does not prevent violations of security policy but detects

    violations and helps determine the type of corrective action needed.

    • Restore Secure State. This service enables a system to return to a state that is

    known to be secure, after a security breach occurs.

    • Virus Detection and Eradication. Virus detection and eradication software installed

    on servers and user workstations detects, identifies, and removes software viruses to

    ensure system and data integrity.

    4.4.2 Management Security Controls

    Management security controls, in conjunction with technical and operational controls, are

    implemented to manage and reduce the risk of loss and to protect an organization’s mission.

    Management controls focus on the stipulation of information protection policy, guidelines, and

    standards, which are carried out through operational procedures to fulfill the organization’s goals

    and missions.

    Management security controls—preventive, detection, and recovery—that are implemented to
    reduce risk are described in Sections through

    SP 800-30 Page 35 Preventive Management Security Controls

    These controls include the following:

    • Assign security responsibility to ensure that adequate security is provided for the

    mission-critical IT systems

    • Develop and maintain system security plans to document current controls and address
    planned controls for IT systems in support of the organization’s mission

    • Implement personnel security controls, including separation of duties, least privilege,

    and user computer access registration and termination

    • Conduct security awareness and technical training to ensure that end users and system

    users are aware of the rules of behavior and their responsibilities in protecting the

    organization’s mission. Detection Management Security Controls

    Detection management controls are as follows:

    • Implement personnel security controls, including personnel clearance, background

    investigations, rotation of duties

    • Conduct periodic review of security controls to ensure that the controls are effective

    • Perform periodic system audits

    • Conduct ongoing risk management to assess and mitigate risk

    • Authorize IT systems to address and accept residual risk. Recovery Management Security Controls

    These controls include the following:

    • Provide continuity of support and develop, test, and maintain the continuity of

    operations plan to provide for business resumption and ensure continuity of

    operations during emergencies or disasters

    • Establish an incident response capability to prepare for, recognize, report, and

    respond to the incident and return the IT system to operational status.

    4.4.3 Operational Security Controls

    An organization’s security standards should establish a set of controls and guidelines to ensure
    that security procedures governing the use of the organization’s IT assets and resources are

    properly enforced and implemented in accordance with the organization’s goals and mission.

    Management plays a vital role in overseeing policy implementation and in ensuring the

    establishment of appropriate operational controls.

    SP 800-30 Page 36

    Operational controls, implemented in accordance with a base set of requirements (e.g., technical

    controls) and good industry practices, are used to correct operational deficiencies that could be

    exercised by potential threat-sources. To ensure consistency and uniformity in security

    operations, step-by-step procedures and methods for implementing operational controls must be

    clearly defined, documented, and maintained. These operational controls include those presented

    in Sections and below. Preventive Operational Controls

    Preventive operational controls are as follows:

    • Control data media access and disposal (e.g., physical access control, degaussing


    • Limit external data distribution (e.g., use of labeling)

    • Control software viruses

    • Safeguard computing facility (e.g., security guards, site procedures for visitors,

    electronic badge system, biometrics access control, management and distribution of

    locks and keys, barriers and fences)

    • Secure wiring closets that house hubs and cables

    • Provide backup capability (e.g., procedures for regular data and system backups,

    archive logs that save all database changes to be used in various recovery scenarios)

    • Establish off-site storage procedures and security

    • Protect laptops, personal computers (PC), workstations

    • Protect IT assets from fire damage (e.g., requirements and procedures for the use of

    fire extinguishers, tarpaulins, dry sprinkler systems, halon fire suppression system)

    • Provide emergency power source (e.g., requirements for uninterruptible power

    supplies, on-site power generators)

    • Control the humidity and temperature of the computing facility (e.g., operation of air

    conditioners, heat dispersal). Detection Operational Controls

    Detection operational controls include the following:

    • Provide physical security (e.g., use of motion detectors, closed-circuit television

    monitoring, sensors and alarms)

    • Ensure environmental security (e.g., use of smoke and fire detectors, sensors and



    To allocate resources and implement cost-effective controls, organizations, after identifying all
    possible controls and evaluating their feasibility and effectiveness, should conduct a cost-benefit

    SP 800-30 Page 37

    analysis for each proposed control to determine which controls are required and appropriate for

    their circumstances.

    The cost-benefit analysis can be qualitative or quantitative. Its purpose is to demonstrate that the
    costs of implementing the controls can be justified by the reduction in the level of risk. For

    example, the organization may not want to spend $1,000 on a control to reduce a $200 risk.

    A cost-benefit analysis for proposed new controls or enhanced controls encompasses the

    • Determining the impact of implementing the new or enhanced controls

    • Determining the impact of not implementing the new or enhanced controls

    • Estimating the costs of the implementation. These may include, but are not limited
    to, the following:

    – Hardware and software purchases

    – Reduced operational effectiveness if system performance or functionality is
    reduced for increased security

    – Cost of implementing additional policies and procedures

    – Cost of hiring additional personnel to implement proposed policies, procedures, or


    – Training costs

    – Maintenance costs

    • Assessing the implementation costs and benefits against system and data criticality to

    determine the importance to the organization of implementing the new controls, given
    their costs and relative impact.

    The organization will need to assess the benefits of the controls in terms of maintaining an

    acceptable mission posture for the organization. Just as there is a cost for implementing a

    needed control, there is a cost for not implementing it. By relating the result of not
    implementing the control to the mission, organizations can determine whether it is feasible to

    forgo its implementation.

    Cost-Benefit Analysis Example: System X stores and processes mission-critical and sensitive
    employee privacy information; however, auditing has not been enabled for the system. A cost-
    benefit analysis is conducted to determine whether the audit feature should be enabled for

    System X.

    Items (1) and (2) address the intangible impact (e.g., deterrence factors) for implementing or not

    implementing the new control. Item (3) lists the tangibles (e.g., actual cost).

    (1) Impact of enabling system audit feature: The system audit feature allows the system security

    administrator to monitor users’ system activities but will slow down system performance and i

    therefore affect user productivity. Also the implementation will require additional resources, as

    described in Item 3.


    SP 800-30 Page 38

    (2) Impact of not enabling system audit feature: User system activities and violations cannot be

    monitored and tracked if the system audit function is disabled, and security cannot be maximized

    to protect the organization’s confidential data and mission.

    (3) Cost estimation for enabling the system audit feature:

    Cost for enabling system audit feature—No cost, built-in feature $ 0
    Additional staff to perform audit review and archive, per year $ xx,xxx
    Training (e.g., system audit configuration, report generation) $ x,xxx
    Add-on audit reporting software $ x,xxx
    Audit data maintenance (e.g., storage, archiving), per year $ x,xxx

    Total Estimated Costs $ xx,xxx

    The organization’s managers must determine what constitutes an acceptable level of mission

    risk. The impact of a control may then be assessed, and the control either included or excluded,
    after the organization determines a range of feasible risk levels. This range will vary among
    organizations; however, the following rules apply in determining the use of new controls:

    • If control would reduce risk more than needed, then see whether a less expensive

    alternative exists

    • If control would cost more than the risk reduction provided, then find something else

    • If control does not reduce risk sufficiently, then look for more controls or a different


    • If control provides enough risk reduction and is cost-effective, then use it.

    Frequently the cost of implementing a control is more tangible than the cost of not implementing

    it. As a result, senior management plays a critical role in decisions concerning the

    implementation of control measures to protect the organizational mission.


    Organizations can analyze the extent of the risk reduction generated by the new or enhanced
    controls in terms of the reduced threat likelihood or impact, the two parameters that define the

    mitigated level of risk to the organizational mission.

    Implementation of new or enhanced controls can mitigate risk by

    • Eliminating some of the system’s vulnerabilities (flaws and weakness), thereby

    reducing the number of possible threat-source/vulnerability pairs

    • Adding a targeted control to reduce the capacity and motivation of a threat-source

    For example, a department determines that the cost for installing and maintaining

    add-on security software for the stand-alone PC that stores its sensitive files is not
    justifiable, but that administrative and physical controls should be implemented to

    SP 800-30 Page 39

    make physical access to that PC more difficult (e.g., store the PC in a locked room,
    with the key kept by the manager).

    • Reducing the magnitude of the adverse impact (for example, limiting the extent of a

    vulnerability or modifying the nature of the relationship between the IT system and

    the organization’s mission).

    The relationship between control implementation and residual risk is graphically presented in
    Figure 4-4.

    Figure 4-4. Implemented Controls and Residual Risk

    The risk remaining after the implementation of new or enhanced controls is the residual risk.
    Practically no IT system is risk free, and not all implemented controls can eliminate the risk they

    are intended to address or reduce the risk level to zero.

    As mandated by 0MB Circular A-130, an organization’s senior management or the DAA, who
    are responsible for protecting the organization’s IT asset and mission, must authorize (or

    accredit) the IT system to begin or continue to operate. This authorization or accreditation must

    occur at least every 3 years or whenever major changes are made to the IT system. The intent of

    this process is to identify risks that are not fully addressed and to determine whether additional

    controls are needed to mitigate the risks identified in the IT system. For federal agencies, after

    the appropriate controls have been put in place for the identified risks, the DAA will sign a
    statement accepting any residual risk and authorizing the operation of the new IT system or the

    continued processing of the existing IT system. If the residual risk has not been reduced to an

    acceptable level, the risk management cycle must be repeated to identify a way of lowering the

    residual risk to an acceptable level.

    SP 800-30 Page 40


    In most organizations, the network itself will continually be expanded and updated, its

    components changed, and its software applications replaced or updated with newer versions. In

    addition, personnel changes will occur and security policies are likely to change over time.

    These changes mean that new risks will surface and risks previously mitigated may again
    become a concern. Thus, the risk management process is ongoing and evolving.

    This section emphasizes the good practice and need for an ongoing risk evaluation and

    assessment and the factors that will lead to a successful risk management program.


    The risk assessment process is usually repeated at least every 3 years for federal agencies, as

    mandated by OMB Circular A- 130. However, risk management should be conducted and
    integrated in the SDLC for IT systems, not because it is required by law or regulation, but
    because it is a good practice and supports the organization’s business objectives or mission.

    There should be a specific schedule for assessing and mitigating mission risks, but the

    periodically performed process should also be flexible enough to allow changes where

    warranted, such as major changes to the IT system and processing environment due to changes

    resulting from policies and new technologies.


    A successful risk management program will rely on (1) senior management’s commitment; (2)
    the full support and participation of the IT team (see Section 2.3); (3) the competence of the risk

    assessment team, which must have the expertise to apply the risk assessment methodology to a

    specific site and system, identify mission risks, and provide cost-effective safeguards that meet

    the needs of the organization; (4) the awareness and cooperation of members of the user

    community, who must follow procedures and comply with the implemented controls to
    safeguard the mission of their organization; and (5) an ongoing evaluation and assessment of the

    IT-related mission risks.

    SP 800-30 Page 41


    APPENDIX A: Sample Interview Questions

    Interview questions should be tailored based upon where the IT system assessed is in the SDLC.
    Sample questions to be asked during interviews with site personnel to gain an understanding of

    the operational characteristics of an organization may include the following:

    • Who are valid users?

    • What is the mission of the user organization?

    • What is the purpose of the system in relation to the mission?

    • How important is the system to the user organization’s mission?

    • What is the system-availability requirement?

    • What information (both incoming and outgoing) is required by the organization?

    • What information is generated by, consumed by, processed on, stored in, and
    retrieved by the system?

    • How important is the information to the user organization’s mission?

    • What are the paths of information flow?

    • What types of information are processed by and stored on the system (e.g., financial,
    personnel, research and development, medical, command and control)?

    • What is the sensitivity (or classification) level of the information?

    • What information handled by or about the system should not be disclosed and to

    • Where specifically is the information processed and stored?

    • What are the types of information storage?

    • What is the potential impact on the organization if the information is disclosed to
    unauthorized personnel?

    • What are the requirements for information availability and integrity?

    • What is the effect on the organization’s mission if the system or information is not

    • How much system downtime can the organization tolerate? How does this downtime
    compare with the mean repair/recovery time? What other processing or
    communications options can the user access?

    • Could a system or security malfunction or unavailability result in injury or death?

    SP 800-30 Page A-1




    I. Introduction

    • Purpose

    • Scope of this risk assessment

    Describe the system components, elements, users, field site locations (if any), and any other

    details about the system to be considered in the assessment.

    II. Risk Assessment Approach

    Briefly describe the approach used to conduct the risk assessment, such as

    • The participants (e.g., risk assessment team members)

    • The technique used to gather information (e.g., the use of tools, questionnaires)

    • The development and description of risk scale (e.g., a3x3, 4×4, or 5×5 risk-level

    in. System Characterization

    Characterize the system, including hardware (server, router, switch), software (e.g., application,

    operating system, protocol), system interfaces (e.g., communication link), data, and users.

    Provide connectivity diagram or system input and output flowchart to delineate the scope of this

    risk assessment effort.

    IV. Threat Statement

    Compile and list the potential threat-sources and associated threat actions applicable to the

    system assessed.

    V. Risk Assessment Results

    List the observations (vulnerability/threat pairs). Each observation must include

    • Observation number and brief description of observation (e.g.. Observation 1: User

    system passwords can be guessed or cracked)

    • A discussion of the threat-source and vulnerability pair
    • Identification of existing mitigating security controls

    • Likelihood discussion and evaluation (e.g.. High, Medium, or Low likelihood)
    • Impact analysis discussion and evaluation (e.g.. High, Medium, or Low impact)
    • Risk rating based on the risk-level matrix (e.g., High, Medium, or Low risk level)
    • Recommended controls or alternative options for reducing the risk.

    VI. Summary

    Total the number of observations. Summarize the observations, the associated risk levels, the

    SP 800-30 PageB-1

    recommendations, and any comments in a table format to facilitate the
    implementation of

    recommended controls during the risk mitigation process.

    SP 800-30

    Page B-2

    . . a





    1 V O

    C« PL, U

    ^ .2 ‘E

    a o

    0) .S£i


    S 3

    ^ – 3 cr
    ^, – W O “O «


    Q. (/} (/} CO 0) n]


    (0 Q. is (n

    o oo o
    CM CM

    I I

    1- CM
    I I

    > E isX o o

    en ca


    io— —

    OT C ^ W= C CD “F

    CD CO Q-.t
    ^ E p E E
    CO (C -D O CO

    O CD 0?

    3 .ii’ c«
    CDo c ^


    T- 2: CO CO


    o c
    CC O
    CO ^
    b c


    0 0

    0 = x:

    CO o
    Q ^ O



    O Q C3)




    ^ CO~ c
    O 0

    *- ^ CO
    CO 0) (0 0
    «0 £ CO O



    Q B

    I 18

    >- 5 Jo 2 ^ ^
    S 0 w ^ o 9

    •— O O O ~ CO J


    ^0 ^

    Q)^ CO

    0 !c:

    M ° o

    0 £
    > *-

    CO “300 =

    5 >^

    -Q Q.

    c Q
    “J z:


    E 05
    O O)


    C 6 c
    (U cj gj

    § §

    52 S >-|C D (1)

    •c a

    c P


    2 ? .sM c3
    J 55 S

    SP 800-30 Page C-1



    AES Advanced Encryption Standard

    CSA Computer Security Act

    DAA Designated Approving Authority

    DAC Discretionary Access Control

    DBS Data Encryption Standard

    FedCIRC Federal Computer Incident Response Center

    FTP File Transfer Protocol

    ID Identifier

    IPSEC Internet Security Protocol

    ISSO Information system security officer

    IT Information Technology

    ITL Information Technology Laboratory

    MAC Mandatory Access Control

    NIPC National Infrastructure Protection Center

    NIST National Institute of Standards and Technology

    OIG Office of Inspector General

    0MB Office of Management and Budget

    PC Personal Computer

    SDLC System Development Life Cycle

    SP Special Publication

    ST&E Security Test and Evaluation

    SP 800-30







    Denial of Service

    Due Care



    The security goal that generates the requirement for actions of an entity to

    be traced uniquely to that entity. This supports nonrepudiation, deterrence,

    fault isolation, intrusion detection and prevention, and after-action recovery

    and legal action.

    Grounds for confidence that the other four security goals (integrity,

    availability, confidentiality, and accountability) have been adequately met

    by a specific implementation. “Adequately met” includes (1) functionality

    that performs correctly, (2) sufficient protection against unintentional errors

    (by users or software), and (3) sufficient resistance to intentional penetration

    or bypass.

    The security goal that generates the requirement for protection against

    • Intentional or accidental attempts to (1) perform unauthorized deletion

    of data or (2) otherwise cause a denial of service or data

    • Unauthorized use of system resources.

    The security goal that generates the requirement for protection from

    intentional or accidental attempts to perform unauthorized data reads.

    Confidentiality covers data in storage, during processing, and in transit.

    The prevention of authorized access to resources or the delaying of time-

    critical operations.

    Managers and their organizations have a duty to provide for information

    security to ensure that the type of control, the cost of control, and the

    deployment of control are appropriate for the system being managed.

    The security goal that generates the requirement for protection against either

    intentional or accidental attempts to violate data integrity (the property that

    data has when it has not been altered in an unauthorized manner) or system
    integrity (the quality that a system has when it performs its intended
    function in an unimpaired manner, free from unauthorized manipulation).

    SP 800-30 Page E-1

    IT-Related Risk

    IT Security Goal

    Risk Assessment
    Risk Management

    Security Goals



    Threat Analysis


    SP 800-30

    The net mission impact considering (1) the probability that a particular
    threat-source will exercise (accidentally trigger or intentionally exploit) a

    particular information system vulnerability and (2) the resulting impact if

    this should occur. IT-related risks arise from legal liability or mission loss

    due to

    1 . Unauthorized (malicious or accidental) disclosure, modification, or

    destruction of information

    2. Unintentional errors and omissions

    3. IT disruptions due to natural or man-made disasters
    4. Failure to exercise due care and diligence in the implementation and

    operation of the IT system.

    See Security Goals

    Within this document, synonymous with IT-Related Risk.

    The process of identifying the risks to system security and determining the
    probability of occurrence, the resulting impact, and additional safeguards

    that would mitigate this impact. Part of Risk Management and synonymous
    with Risk Analysis.

    The total process of identifying, controlling, and mitigating information

    system-related risks. It includes risk assessment; cost-benefit analysis; and

    the selection, implementation, test, and security evaluation of safeguards.

    This overall system security review considers both effectiveness and

    efficiency, including impact on the mission and constraints due to policy,

    regulations, and laws.

    Information system security is a system characteristic and a set of

    mechanisms that span the system both logically and physically.

    The five security goals are integrity, availability, confidentiality,

    accountability, and assurance.

    The potential for a threat-source to exercise (accidentally trigger or

    intentionally exploit) a specific vulnerability.

    Either (1) intent and method targeted at the intentional exploitation of a

    vulnerability or (2) a situation and method that may accidentally trigger a

    The examination of threat-sources against system vulnerabilities to

    determine the threats for a particular system in a particular operational


    A flaw or weakness in system security procedures, design, implementation,
    or internal controls that could be exercised (accidentally triggered or

    intentionally exploited) and result in a security breach or a violation of the

    system’s security policy.

    Page E-2


    Computer Systems Laboratory Bulletin. Threats to Computer Systems: An Overview.
    March 1994.

    NIST Interagency Reports 4749. Sample Statements of Workfor Federal Computer Security

    Services: For Use In-House or Contracting Out. December 1991.

    NIST Special Publication 800-12. An Introduction to Computer Security: The NIST Handbook.
    October 1995.

    NIST Special Publication 800-14. Generally Accepted Principles and Practicesfor Securing

    Information Technology Systems. September 1996. Co-authored with Barbara Guttman.

    NIST Special Publication 800-18. Guide For Developing Security Plans for Information
    Technology Systems. December 1998. Co-authored with Federal Computer Security Managers’

    Forum Working Group.

    NIST Special Publication 800-26, Security Self-Assessment Guidefor Information Technology
    Systems. August 2001.

    NIST Special Publication 800-27. Engineering Principles for IT Security . June 2001.

    0MB Circular A- 130. Management ofFederal Information Resources. Appendix HI.
    November 2000.

    SP 800-30 Page F-1


    Technical Publications


    Journal of Research of the National Institute of Standards and Technology—Reports NIST research
    and development in those disciplines of the physical and engineering sciences in which the Institute is

    active. These include physics, chemistry, engineering, mathematics, and computer sciences. Papers cover a

    broad range of subjects, with major emphasis on measurement methodology and the basic technology

    underlying standardization. Also included from time to time are survey articles on topics closely related to

    the Institute’s technical and scientific programs. Issued six times a year.


    Monographs—Major contributions to the technical literature on various subjects related to the Institute’s
    scientific and technical activities.

    Handbooks—Recommended codes of engineering and industrial practice (including safety codes)
    developed in cooperation with interested industries, professional organizations, and regulatory bodies.

    Special Publications—Include proceedings of conferences sponsored by NIST, NIST annual reports, and
    other special publications appropriate to this grouping such as wall charts, pocket cards, and bibliographies.

    National Standard Reference Data Series—Provides quantitative data on the physical and chemical
    properties of materials, compiled from the world’s literature and critically evaluated. Developed under a

    worldwide program coordinated by NIST under the authority of the National Standard Data Act (Public
    Law 90-396). NOTE: The Journal of Physical and Chemical Reference Data (JPCRD) is published
    bimonthly for NIST by the American Institute of Physics (AIP). Subscription orders and renewals are
    available from AIP, P.O. Box 503284, St. Louis, MO 63150-3284.
    Building Science Series—Disseminates technical information developed at the Institute on building
    materials, components, systems, and whole structures. The series presents research results, test methods,
    and performance criteria related to the structural and environmental functions and the durability and safety

    characteristics of building elements and systems.

    Technical Notes—Studies or reports which are complete in themselves but restrictive in their treatment of
    a subject. Analogous to monographs but not so comprehensive in scope or definitive in treatment of the

    subject area. Often serve as a vehicle for final reports of work performed at NIST under the sponsorship of
    other government agencies.

    Voluntary Product Standards—Developed under procedures published by the Department of Commerce
    in Part 10, Title 15, of the Code of Federal Regulations. The standards establish nationally recognized
    requirements for products, and provide all concerned interests with a basis for common understanding of
    the characteristics of the products. NIST administers this program in support of the efforts of private-sector
    standardizing organizations.

    Order the following NISTpublications—FIPS and NISTIRs—from the National Technical Information
    Service, Springfield, VA 22161.

    Federal Information Processing Standards Publications (FIPS PUB)—Publications in this series
    collectively constitute the Federal Information Processing Standards Register. The Register serves as the
    official source of information in the Federal Government regarding standards issued by NIST pursuant to
    the Federal Property and Administrative Services Act of 1949 as amended. Public Law 89-306 (79 Stat.
    1127), and as implemented by Executive Order 11717 (38 FR 12315, dated May 11, 1973) andPart6of
    Title 15 CFR (Code of Federal Regulations).
    NIST Interagency or Internal Reports (NISTIR)—The series includes interim or final reports on work
    performed by NIST for outside sponsors (both goverrunent and nongovernment). In general, initial
    distribution is handled by the sponsor; public distribution is handled by sales through the National

    Technical Information Service, Springfield, VA 22161, in hard copy, electronic media, or microfiche form.
    NISTIR’ s may also report results of NIST projects of transitory or limited interest, including those that will
    be published subsequently in more comprehensive form.

    o on

    C >

    O (t


    • nistspecialpublication800-30

    T H E D E F I N I T I V E C Y B E R S E C U R I T Y G U I D E
    F O R D I R E C T O R S A N D O F F I C E R S

    The Defi nitive Cybersecurity Guide
    for Directors and Offi cers
    Published by

    Navigating the Digital Age: The Defi nitive
    Cybersecurity Guide for Directors and
    Offi cers
    Publisher: Tim Dempsey
    Editor: Matt Rosenquist
    Design and Composition: Graphic World, Inc.
    Printing and Binding: Transcontinental Printing
    Navigating the Digital Age: The Defi nitive Cybersecurity Guide for Directors and Offi cers
    is published by:
    Caxton Business & Legal, Inc.
    27 North Wacker Drive, Suite 601
    Chicago, IL 60606
    Phone: +1 312 361 0821
    Email: tjd@caxtoninc.com
    First published: 2015
    ISBN: 978-0-9964982-0-3
    Navigating the Digital Age: The Defi nitive Cybersecurity Guide for Directors and Offi cers
    © October 2015
    Cover illustration by Tim Heraldo
    Copyright in individual chapters rests with the authors. No photocopying: copyright licenses do not apply.
    Navigating the Digital Age: The Defi nitive Cybersecurity Guide for Directors and Offi cers (the Guide) contains
    summary information about legal and regulatory aspects of cybersecurity governance and is current as of
    the date of its initial publication (October 2015). Although the Guide may be revised and updated at some
    time in the future, the publishers and authors do not have a duty to update the information contained in
    the Guide, and will not be liable for any failure to update such information. The publishers and authors
    make no representation as to the completeness or accuracy of any information contained in the Guide.
    This guide is written as a general guide only. It should not be relied upon as a substitute for specifi c
    professional advice. Professional advice should always be sought before taking any action based on the
    information provided. Every effort has been made to ensure that the information in this guide is correct at
    the time of publication. The views expressed in this guide are those of the authors. The publishers and
    authors do not accept responsibility for any errors or omissions contained herein. It is your responsibility
    to verify any information contained in the Guide before relying upon it.

    iii ■
    New York Stock Exchange – Tom Farley, President
    No issue today has created more concern within corporate
    C-suites and boardrooms than cybersecurity risk. With
    the ability to shatter a company’s reputation with their
    customers and draw criticism from shareholders, lawsuits
    from affected parties, and attention from the media, the
    threat of cyber risk is ubiquitous and insidious. No com-
    pany, region, or industry is immune, which makes the
    responsibility to oversee, manage, and mitigate cyber risk
    a top-down priority in every organization.
    The New York Stock Exchange has long advocated that
    exemplary governance and risk oversight is fundamental
    to the health of individual companies, as well as to the
    sound operation of our capital markets. In other words,
    we too take the threat very seriously. Today, managing
    cybersecurity risk has expanded far beyond the realm of
    IT; it has become a business continuity necessity to ensure
    shareholder value remains intact and that privacy and
    corporate intellectual property is protected. Accordingly,
    those responsibilities are weighing heavily on corporate
    executives and directors, making it vital for them to better
    understand and prepare for the evolving cybersecurity
    Cyber risk ultimately poses a threat to confi dence, a
    foundational aspect of U.S. corporate issuers and markets.
    We are taking a leadership role on many fronts, such as
    reducing market fragmentation and complexity, as well
    as increasing effi ciency through the highest levels of
    intelligence, analytics, and technology. Confi dence in the
    integrity and security of our assets is concurrent with our
    success—as it is for every other company operating in the
    public markets today.
    Moreover, because the public markets have become
    increasingly reliant on interdependent technology sys-
    tems, the threat looms even larger. As we witnessed dur-
    ing the 2008 fi nancial crisis, rarely does any failure happen
    in a vacuum; therefore, the threat of systemic disruption
    has taken on an even higher level of prominence and
    concern among regulators and policymakers worldwide.
    It is important that companies remain vigilant, taking
    steps to proactively and intelligently address cybersecurity

    ■ iv
    risk within their organizations. Beyond the
    technological solutions developed to defend
    and combat breaches, we can accomplish
    even more through better training, aware-
    ness, and insight on human behavior.
    Confi dence, after all, is not a measure of
    technological systems, but of the people who
    are entrusted to manage them.
    With insights from the preeminent
    authorities on cybersecurity today, this
    groundbreaking, practical guide to cyberse-
    curity has been developed to refl ect a body
    of knowledge that is unsurpassed on this
    topic. At the heart of effective risk manage-
    ment must be a thorough understanding of
    the risks as well as pragmatic solutions.
    Thank you for your continued partnership
    with the New York Stock Exchange, and we
    look forward to continuing to support your
    requirements in this dynamic landscape.

    v ■
    Visa Inc. – Charles W. Scharf, CEO
    For years, cybersecurity was an issue that consumers,
    executive management, and boards of directors took for
    granted. They were able to do so because the technolo-
    gists did not. The technologists worked every day to
    protect their systems from attack, and they were quite
    effective for many years. We sit here today in a very dif-
    ferent position. The threats are bigger than ever before
    and growing in frequency and severity every day.
    Cybersecurity is now something everyone needs to think
    about, whether it’s in your personal or professional life.
    What worked in the past is not enough to protect us in the
    present and future.
    So what has changed?
    First of all, the technology platforms of today are big-
    ger targets than ever given the breadth and criticality of
    items they control. Second, the amount and value of the
    data that we all produce and store has grown exponen-
    tially. The data is a gold mine for criminals. Third, the
    interconnectedness of the world just makes it easier for
    more people—regardless of geography—to be able to
    steal or disrupt. And fourth, the perpetrators are more
    sophisticated, better organized, better funded, and harder
    to bring to justice than ever before.
    So the problem is different, and what we all do about it
    is different.
    This is not simply an IT issue. It is a business prob-
    lem of the highest level. Protecting our data and our
    systems is core to business today. And that means that
    having an outstanding cybersecurity program also
    can’t detract from our objectives around innovation,
    speed, and performance.
    Security has been a top priority at Visa for decades. It
    is foundational to delivering our brand promise. To be
    the best way to pay and be paid, we must be the most
    secure way to pay and be paid. We cannot ask people to
    use our products unless they believe that we are just that.
    Thus we must guard carefully both the security of our
    own network and company and the security of the broader
    payments ecosystem.

    ■ vi
    accounts had been compromised—a pivotal
    moment for our industry.
    The losses experienced by our clients,
    combined with the impact on consumer con-
    fi dence, galvanized our industry to take
    actions that, we believe, will have a mean-
    ingful and lasting effect on how the world
    manages sensitive consumer data—not just
    We are taking action as an ecosystem, to
    collaborate and share information across
    industries and with law enforcement and
    governments and to develop new technolo-
    gies that will allow us to prevent attacks and
    respond to threats in the future.
    � Protect payments at physical retailers.
    Fraudsters have targeted the point-of-
    sale environment at leading U.S. retailers,
    capturing consumer account information
    and forcing the reissuance of millions
    of payment cards. As an industry we
    are rapidly introducing EMV (Europay,
    MasterCard, and Visa) chip payment
    technology in the United States. Chip-
    enabled payment cards and terminals
    work in concert to generate dynamic
    data with each transaction, rendering the
    transaction data useless to fraudsters.
    � Protect online payments. Consumer
    purchases online and with mobile devices
    are growing at a signifi cant rate. In order
    to prevent cyberattacks and fraudulent
    use of consumer accounts online, Visa and
    the global payments industry adopted
    a new payment standard for online
    payments. The new standard replaces the
    16-digit account number with a digital
    token that is used to process online
    payments without exposing consumer
    account information.
    � Collaborate and share information.
    Sharing threat intelligence is a necessity
    rather than a “nice to have,” allowing
    merchants, fi nancial institutions, and
    payment networks like Visa to rapidly
    detect and respond to cyberattacks.
    Public and private partnerships are
    also critical to creating the most robust
    There are several elements that we have
    found to be critical to ensuring an effective
    security program at Visa.
    � Be open and honest about the effectiveness
    of your security program and regularly
    share an honest assessment of your security
    posture with the executive team and board.
    We use a data-driven approach that scores
    our program across fi ve categories: risk
    intelligence, malware prevention, vulner-
    ability management, identity and access
    management, and detection and response.
    Scores move up and down not only as our
    defenses improve or new vulnerabilities
    are discovered but also as threats change.
    The capabilities of the adversaries are
    growing, and you need a dynamic
    approach to measurement.
    � Invest in security before investing
    elsewhere. A well-controlled environment
    gives you the license to do other things.
    Great and innovative products and
    services will only help you win if you
    have a well-protected business.
    � Don’t leave the details to others. Active,
    hands-on engagement by the executive
    team and the board is required. The risk
    is existential. Nothing is more important.
    Your involvement will produce better
    results as well as make sure the whole
    organization understands just how
    important the issue is.
    � Never think you’ve done enough. The
    bad guys are smart and getting smarter.
    They aren’t resting, and they have more
    resources than ever. Assume they will
    Defending against cyberthreats is not some-
    thing that we can solve for our company in a
    vacuum. At Visa, we must protect not only
    our own network but the whole payments
    ecosystem. This came to life for us in late
    2013 when some of the largest U.S. retailers
    and fi nancial institutions in the U.S. reported
    data breaches. Tens of millions of consumer

    vii ■
    community of threat intelligence, so we
    also work closely with law enforcement
    and governments. At the heart of Visa’s
    security strategy is the concept of “cyber
    fusion,” which is centered on the principle
    of shared intelligence—a framework to
    collect, analyze, and leverage cyberthreat
    intelligence, internally and externally,
    to build a better defense for the whole
    Championing security is one of Visa’s six
    strategic goals. This is an area where there
    are no grades—it is pass or fail, and pass is
    the only option. Cybersecurity needs to be
    part of the fabric of every company and
    every industry, integrated into every busi-
    ness process and every employee action.
    And it begins and ends at the top. It is job
    number one.

    ■ viii
    New York Stock Exchange — Tom Farley, President
    Visa Inc. — Charles W. Scharf, CEO
    Introductions — The cyberthreat in the digital age
    Palo Alto Networks Inc. — Mark McLaughlin, CEO
    The Chertoff Group — Michael Chertoff, Executive Chairman
    and Former United States Secretary of Homeland Security and Jim
    Pfl aging, Principal
    Georgia Institute of Technology, Institute for Information
    Security & Privacy — Jody R. Westby, Esq., Adjunct Professor
    Institutional Shareholder Services Inc. — Patrick McGurn,
    ISS Special Counsel and Martha Carter, ISS Global Head
    of Research
    World Economic Forum — Elena Kvochko, co-author of
    Towards the Quantifi cation of Cyber Threats report and Danil
    Kerimi, Director, Center for Global Industries
    Internet Security Alliance — Larry Clinton, CEO
    Former CIO of The United States Department
    of Energy — Robert F. Brese
    I. Cyber risk and the board of directors
    Orrick, Herrington & Sutcliffe LLP — Antony Kim, Partner;
    Aravind Swaminathan, Partner; and Daniel Dunne, Partner

    ix ■
    Fish & Richardson P.C. — Gus P. Coldebella, Principal
    and Caroline K. Simons, Associate
    Internet Security Alliance and National Association
    of Corporate Directors — Larry Clinton, CEO of ISA
    and Ken Daly, President and CEO of NACD
    Stroz Friedberg LLC — Erin Nealy Cox, Executive Managing
    Dell SecureWorks — Mike Cote, CEO
    II. Cyber risk corporate structure
    Palo Alto Networks Inc. — Davis Hake, Director
    of Cybersecurity Strategy
    Coalfi re — Larry Jones, CEO and Rick Dakin, CEO
    III. Cybersecurity legal and regulatory
    Booz Allen Hamilton — Bill Stewart, Executive
    Vice President; Dean Forbes, Senior Associate, Agatha O’Malley,
    Senior Associate, Jaqueline Cooney, Lead Associate and
    Waiching Wong, Associate
    Data Risk Solutions: BuckleySandler LLP & Treliant Risk
    Advisors LLC — Elizabeth McGinn, Partner; Rena Mears,
    Managing Director; Stephen Ruckman, Senior Associate;
    Tihomir Yankov, Associate; and Daniel Goldstein, Senior

    ■ x
    Baker & McKenzie — David Lashway, Partner; John Woods,
    Partner; Nadia Banno, Counsel, Dispute Resolution; and
    Brandon H. Graves, Associate
    K&L Gates LLP — Roberta D. Anderson, Partner
    Wilson Elser Moskowitz Edelman & Dicker LLP — Melissa
    Ventrone, Partner and Lindsay Nickle, Partner
    Fish & Richardson P.C. — Gus P. Coldebella, Principal
    Latham & Watkins LLP — Jennifer Archie, Partner
    Kaye Scholer LLP — Adam Golodner, Partner
    Pillsbury Winthrop Shaw Pittman LLP — Brian Finch,
    Littler Mendelson P.C. — Philip L. Gordon, Esq., Co-Chair,
    Privacy and Background Checks Practice Group
    IV: Comprehensive approach to
    Booz Allen Hamilton — Bill Stewart, Executive
    Vice President; Sedar LaBarre, Vice President; Matt Doan,
    Senior Associate; and Denis Cosgrove, Senior Associate
    Booz Allen Hamilton — Bill Stewart, Executive Vice President;
    Jason Escaravage, Vice President; and Christian Paredes,

    xi ■
    V. Design best practices
    Intercontinental Exchange & New York Stock
    Exchange — Jerry Perullo, CISO
    Palo Alto Networks Inc.
    VI. Cybersecurity beyond your network
    Booz Allen Hamilton — Bill Stewart, Executive
    Vice President; Tony Gaidhane, Senior Associate;
    and Laura Eise, Lead Associate
    Covington & Burling LLP — David N. Fagan, Partner;
    Nigel L. Howard, Partner; Kurt Wimmer, Partner; Elizabeth H.
    Canter, Associate; and Patrick Redmon, Summer Associate
    Delta Risk LLC — Thomas Fuhrman, President
    The Chertoff Group — Mark Weatherford, Principal
    VII. Incident response
    U.S. Department of Justice — CCIPS Cybersecurity Unit
    Booz Allen Hamilton — Jason Escaravage, Vice President;
    Anthony Harris, Senior Associate; James Perry, Senior Associate;
    and Katie Stefanich, Lead Associate
    Fidelis Cybersecurity — Jim Jaeger, Chief Cyber Strategist
    Fidelis Cybersecurity — Jim Jaeger, Chief Cyber Strategist
    and Ryan Vela, Regional Director, Northeastern North America
    Cybersecurity Services

    ■ xii
    Rackspace Inc. — Brian Kelly, Chief Security Offi cer
    BakerHostetler — Theodore J. Kobus, Partner and Co-Leader,
    Privacy and Data Protection; Craig A. Hoffman, Partner;
    and F. Paul Pittman, Associate
    Sard Verbinnen & Co — Scott Lindlaw, Principal
    VIII. Cyber risk management
    investment decisions
    Axio Global, LLC — Scott Kannry, CEO and David White,
    Chief Knowledge Offi cer
    Lockton Companies Inc. — Ben Beeson, Senior Vice President,
    Cybersecurity Practice
    IX. Cyber risk and workforce development
    NYSE Governance Services — Adam Sodowick, President
    Wells Fargo & Company — Rich Baich, CISO
    Booz Allen Hamilton — Lori Zukin, Principal; Jamie Lopez,
    Senior Associate; Erin Weiss Kaya, Lead Associate; and Andrew
    Smallwood, Lead Associate
    Korn Ferry — Jamey Cummings, Senior Client Partner;
    Joe Griesedieck, Vice Chairman and Co-Leader, Board and
    CEO Services; and Aileen Alexander, Senior Client Partner
    Egon Zehnder — Kal Bittianda, Selena Loh LaCroix,
    and Chris Patrick

    Electronic version of this guide and additional content available at: SecurityRoundtable.org
    Introductions — The
    cyberthreat in the digital age

    3 ■
    Palo Alto Networks Inc. – Mark McLaughlin, CEO
    Prevention: Can it be done?
    Frequent headlines announcing the latest cyber breach of
    a major company, government agency, or organization are
    the norm today, begging the questions of why and will it
    ever end?
    The reason cybersecurity is ingrained in news cycles,
    and receives extraordinary investments and focus from
    businesses and governments around the world, is the
    growing realization that these breaches are putting our
    very digital lifestyle at risk. This is not hyperbole. More
    and more, we live in the digital age, in which things that
    used to be real and tangible are now machine-generated or
    only exist as bits and bytes. Consider your bank account
    and total absence of tangible money or legal tender that
    underlies it; you trust that the assets exist because you can
    “see” them when you log in to your account on the fi nan-
    cial institution’s website. Or the expectation you have that
    light, water, electricity, and other utility services will work
    on command, despite your having little to no idea of how
    the command actually results in the outcome. Or the com-
    fort in assuming that of the 100,000 planes traversing the
    globe on an average day, all will fl y past each other at safe
    distances and take off and land at proper intervals. Now,
    imagine that this trust, reliance, and comfort could not be
    taken for granted any longer and the total chaos that
    would ensue. This is the digital age; and with all the effi –
    ciencies and productivity that has come with it, more and
    more we trust that it will just “work.”
    This reliance on digital systems is why the tempo of
    concern due to cyberattacks is rising so rapidly. Business
    leaders, government leaders, education leaders, and mili-
    tary leaders know that there is a very fi ne line separating
    the smoothly functioning digital society built on trust and
    the chaotic breakdown in society resulting from the ero-
    sion of that trust. And it is eroding quickly. Why is that,
    and do we have any analogies? And, more importantly,
    can it be fi xed?

    ■ 4
    attack, responses are highly manual in
    nature. Unfortunately, humans facing off
    against machines have little to no leverage,
    and cyber expertise is increasingly hard to
    come by in the battle for talent. Flipping the
    cost curve on its head with automation and
    a next-generation, natively integrated secu-
    rity platform is required if there is any hope
    of reducing the “breach du jour” headlines.
    (See Figure 2.)
    It is unlikely that the number of attacks
    will abate over time. On the contrary, there is
    every reason to expect that their number will
    continue to grow. In fact, we can also expect
    that the “attack surface” and potential tar-
    gets will also continue to grow as we con-
    stantly increase the connections of various
    things to the Internet.
    An understandable but untenable
    response to this daunting threat environ-
    ment is to assume that prevention is impos-
    sible, so we must simply detect and respond
    to all intrusions. The fundamental problem
    with this approach is that without signifi cant
    prevention no combination of people, pro-
    cess, and technology can prioritize and
    respond to every intrusion that could signifi –
    cantly impact a network and those who rely
    on it. The math problem is simply insur-
    mountable. Quite simply, detection and
    response should be supplements to, instead
    of substitutes for, prevention.
    ■ Machine vs. human
    At the heart of the cybersecurity battle is a
    math problem. It is relatively simple to
    understand, but hard to correct. One of the
    negative offshoots of the ever-decreasing
    cost of computing power is the ability for
    cyber criminals and adversaries to launch
    increasingly numerous and sophisticated
    attacks at lower and lower costs. Today,
    bad actors without the capability to develop
    their own tools can use existing malware
    and exploits that are often free or inex-
    pensive to obtain online. Similarly,
    advanced hackers, criminal organizations,
    and nation-states are able to use these
    widely available tools to launch successful
    intrusions and obscure their identity. These
    sophisticated adversaries are also develop-
    ing and selectively using unique tools that
    could cause even greater harm. This all
    adds up to tremendous leverage for the
    attackers. (See Figure 1.)
    In the face of this increasing onslaught in
    the sheer number of attacks and levels of
    sophistication, the defender is generally
    relying on decades-old core security tech-
    nology, often cobbled together in multiple
    layers of point products; there is no true
    visibility of the situation, nor are the point
    products designed to communicate with
    each other. As a result, to the extent attacks
    are detected or lessons are learned from an
    The attack math
    Number of
    successful attacks
    Cost of launching a
    successsful attack
    FIGURE As computing power becomes less
    expensive,the cost for launching automated
    attacks decreases. This allows the number
    of attacks to increase at a given cost.

    5 ■
    U.S. Suddenly, the very way of life in the
    Western world was deemed, appropriately
    so, at risk. The comfort and confi dence of
    living in a well-protected and prosperous
    environment was shattered as citizens lost
    trust in their ability to follow their daily rou-
    tines and way of life. It appeared as though
    there was an insurmountable technological
    lead, and everywhere people turned there
    was anxiety and cascading bad news.
    In the years immediately following
    Sputnik, the main focus was on how to sur-
    vive a post–nuclear-war world. Items like
    backyard bomb shelters and nonperishable
    food items were in great demand, and
    schools were teaching duck-and-cover drills.
    In other words, people were assuming
    attacks could not be prevented and were
    preparing for remediation of their society
    However, this fatalistic view was tempo-
    rary. America relied on diplomacy and tradi-
    tional forms of deterrence while devoting
    technological innovation and ingenuity to
    breakthroughs such as NASA’s Mercury
    program. While it took a decade of resourc-
    es, collaboration, trial, and effort, eventually
    the Mercury program and succeeding efforts
    changed the leverage in the equation. The
    space-based attack risk was not eliminated,
    but it was compartmentalized to the point of
    fading into the background as a possible but
    So, the strategy must be to signifi cantly
    decrease the likelihood, and increase the
    cost, required for an attacker to perform a
    successful attack. To be more specifi c, we
    should not assume that attacks are going
    away or that all attacks can be stopped.
    However, we should assume, and be very
    diligent in ensuring, that the cost of a suc-
    cessful attack can be dramatically increased
    to the point where the incidence of a success-
    ful attack will sharply decline.
    When this point is reached, and it will not
    come overnight, then we will be able to
    quantify and compartmentalize the risk to
    something acceptable and understood. It’s at
    that point that cyber risks will be real and
    persistent but that they will leave the head-
    lines and fade into the background of every-
    day life, commerce, communications, and
    interaction. This should be our goal. Not to
    eliminate all risk, but to reduce it to some-
    thing that can be compartmentalized. There
    is a historical analogy to this problem and an
    approach to solve it.
    ■ Sputnik analogy
    The analogy, which is imperfect but helpful,
    is the space race. In 1957 the Soviet Union
    launched Sputnik. The result was panic at
    the prospect that this technology provided
    the Soviets with an overwhelming advan-
    tage to deliver a nuclear attack across the
    FIGURE Harnessing automation and integrated
    intelligence can continually raise the cost
    of making an attack successful, eventually
    decreasing the number of successful attacks.
    The attack math
    Cost of launching a
    successsful attack
    Number of
    successsful attacks

    ■ 6
    not probable event. It was at this stage that
    the panic and confusion receded from the
    headlines and daily reporting. We will know
    we are in good shape in the cyber battle
    when we have reached this point. So, how
    do we get there?
    As with all things in life, ideas and phi-
    losophy matter. This is true because if you
    do not know what you are trying to get
    done, it’s unlikely that you will get it done.
    In the space race analogy, the philosophy
    shifted over time from one that primarily
    assumed an attack was imminent and
    unstoppable with the majority of planning
    and resources geared toward life in the post-
    attack world, to one of prevention where the
    majority of resources and planning were
    geared to reduce the probability and effec-
    tiveness of an attack.
    Importantly, the risk of an attack was not
    eliminated, but the probability of occurrence
    and success was reduced by vastly increas-
    ing the cost of a successful attack. It was
    previously noted that no analogy is perfect,
    so the analogy of “cost” here for space-based
    attacks and cyberattacks is, of course, meas-
    ured in different ways. Most notably,
    cyberthreats are not the sole purview of
    superpower nations, and the technological
    innovation most likely to reverse the cost of
    successful attacks is most likely to come
    from industry, not governments. However,
    the principle is the same in that a prevention
    philosophy is much more likely to result in
    prevention capabilities being developed, uti-
    lized, and continually refi ned over time.
    ■ Is prevention possible?
    The obvious question then is whether pre-
    vention is possible. I think that most security
    professionals and practitioners would agree
    that total prevention is not possible. This is
    disheartening but also no different from any
    other major risk factor that we have ever
    dealt with over time. So, the real question is
    whether prevention is possible to the point
    where the incidence of successful attacks is
    reduced to something manageable from a
    risk perspective. I believe that this is possible
    over time. In order to achieve this outcome,
    it is an imperative that cost leverage is
    gained in the cyber battle. This leverage can
    be attained by managing the cyber risk to an
    organization through the continual improve-
    ment and coordination of several key ele-
    ments: technology, process and people, and
    intelligence sharing.
    It is very apparent that traditional or legacy
    security technology is failing at an alarming
    rate. There are three primary reasons for this:
    � The fi rst is that networks have been
    built up over a long period of time and
    often are very complicated in nature,
    consisting of security technology that
    has been developed and deployed in a
    point product, siloed approach. In other
    words, a security “solution” in traditional
    network architecture of any size consists
    of multiple point products from many
    different vendors all designed to do one
    specifi c task, having no ability to inform
    or collaborate with other products. This
    means that the security posture of the
    network is only as “smart” overall as the
    least smart device or offering. Also, to the
    extent that any of the thousands of daily
    threats is successfully detected, protection
    is highly manual in nature because there is
    no capability to automatically coordinate
    or communicate with other capabilities in
    the network, let alone with other networks
    not in your organization. That’s a real
    problem because defenders are relying
    more and more on the least leverageable
    resource they have—people—to fi ght
    machine-generated attacks.
    � Second, these multiple point solutions are
    often based on decades-old technology,
    like stateful inspection, which was useful
    in the late 1990s but is totally incapable of
    providing security capabilities for today’s
    attack landscape.
    � And third, the concept of a “network”
    has morphed continues to do so at a
    rapid pace into something amorphous
    in nature: the advent of software as a
    service (SaaS) providers, cloud computing,

    7 ■
    successful leaders understand the need to
    assess organizational risk and to allocate
    resources and effort based on prioritized
    competing needs. Given the current threat
    environment and the math behind success-
    ful attacks, leaders need to understand both
    the value and vulnerabilities residing on
    their networks and prioritize prevention
    and response efforts accordingly.
    Under executive leadership, it is also
    very important that there is continued
    improvement in processes used to manage
    the security of organizations. People must
    be continually trained on how to identify
    cyberattacks and on the appropriate steps to
    take in the event of an attack. Many of the
    attacks that are being reported today start or
    end with poor processes or human error. For
    example, with so much personal informa-
    tion being readily shared on social network-
    ing, it is simple for hackers to assemble very
    accurate profi les of individuals and their
    positions in companies and launch socially
    engineered attacks or campaigns. These
    attacks can be hard to spot in the absence of
    proper training for individuals, and diffi cult
    to control in the absence of good processes
    and procedures regardless of how good the
    technology is that is deployed to protect an
    A common attack on organizations to
    defraud large amounts of money via wire
    transfers counts on busy people being poor-
    ly trained and implementing spotty pro-
    cesses. In such an attack, the attacker uses
    publicly available personal information
    gleaned off social networking sites to iden-
    tify an individual who has the authority to
    issue a wire transfer in a company. Then the
    attacker uses a phishing attack, a carefully
    constructed improper email address that
    looks accurate on a cursory glance, seem-
    ingly from this person’s manager at the
    company telling the person to send a wire
    transfer right away to the following coordi-
    nates. If the employee is not trained to look
    for proper email address confi guration, or
    the company does not have a good process
    in place to validate wire transfer requests,
    like requiring two approvals, then this attack
    mobility, the Internet of Things, and other
    macrotechnology trends that have the
    impact of security professionals having
    less and less control over data.
    In the face of these challenges, it is critical
    that a few things are true in the security
    architecture of the future:
    � First is that advanced security systems
    designed on defi nitive knowledge of
    what and who is using the network be
    deployed. In other words, no guessing.
    � Second is that these capabilities be as
    natively integrated as possible into
    a platform such that any action by
    any capability results in an automatic
    reprogramming of the other capabilities.
    � Third is that this platform must also
    be part of a larger, global ecosystem
    that enables a constant and near-real-time
    sharing of attack information that can be
    used to immediately apply protections
    preventing other organizations in the
    ecosystem from falling victim to the same
    or similar attacks.
    � Last is that the security posture is
    consistent regardless of where data
    resides or the deployment model of the
    “network.” For example, the advanced
    integrated security and automated
    outcomes must be the same whether the
    network is on premise, in the cloud, or has
    data stored off the network in third-party
    applications. Any inconsistency in the
    security is a vulnerability point as a general
    matter. And, as a matter of productivity,
    security should not be holding back high-
    productivity deployment scenarios based
    on the cloud, virtualization, SDN, NFV,
    and other models of the future.
    Process and people
    Technology alone is not going to solve the
    problem. It is incumbent upon an executive
    team to ensure their technical experts are
    managing cybersecurity risk to the organi-
    zation. Most of today’s top executives did
    not attain their position due to technological
    and cybersecurity profi ciency. However, all

    ■ 8 SecurityRoundtable.org
    often succeeds. It is important that technol-
    ogy, process, and people are coordinated,
    and that training is done on a regular basis.
    Intelligence sharing
    Given the increasing number and sophistica-
    tion of cyberattacks, it is diffi cult to imagine
    that any one company or organization will
    have enough threat intelligence at any one
    time to be able to defeat the vast majority of
    attacks. However, it is not hard to imagine
    that if multiple organizations were sharing
    what they are seeing from an attack perspec-
    tive with each other in close to real time, that
    the combined intelligence would limit suc-
    cessful attacks to a small number of the
    attempted attacks. This is the outcome we
    should strive for, as getting to this point
    would mean that the attackers would need
    to design and develop unique attacks every
    single time they want to attack an organiza-
    tion, as opposed to today where they can use
    variants of an attack again and again against
    multiple targets. Having to design unique
    attacks every time would signifi cantly drive
    up the cost of a successful attack and force
    attackers to aggregate resources in terms of
    people and money, which would make them
    more prone to be visible to defenders, law
    enforcement, and governments.
    The network effect of defense is why
    there is such a focus and attention on threat
    intelligence information sharing. It is early
    days on this front, but all progress is good
    progress, and, importantly, organizations are
    now using automated systems to share
    threat intelligence. At the same time, analyti-
    cal capabilities are being rapidly developed
    to make use and sense of all the intelligence
    in ways that will result in advanced plat-
    forms being able to reprogram prevention
    capabilities in rapid fashion such that con-
    nected networks will be constantly updating
    threat capabilities in an ever-increasing eco-
    system. This provides immense leverage in
    the cybersecurity battle.
    ■ Conclusion
    There is understandable concern and atten-
    tion on the ever-increasing incidence of
    cyberattacks. However, if we take a longer
    view of the threat and adopt a prevention-
    fi rst mindset, the combination of next-
    generation technology, improvements in
    processes and training, and real-time shar-
    ing of threat information with platforms
    that can automatically reconfi gure the secu-
    rity posture, can vastly reduce the number
    of successful attacks and restore the digital
    trust we all require for our global economy.

    9 ■
    The Chertoff Group — Michael Chertoff, Executive
    Chairman and Former United States Secretary
    of Homeland Security, and Jim Pfl aging, Principal
    The three Ts of the cyber economy
    Thanks to rapid advances in technology and thinking, over
    the last decade we have seen entire industries and countries
    reinvented in large part because of the power of the Internet
    and related innovations. Naturally, these developments cre-
    ated new opportunities and risks, and none is greater than
    cybersecurity. Today, business leaders, academics, small
    business owners, and school kids know about hackers,
    phishing, identify theft, and even “bad actors.”
    In late 2014, the Sony Pictures Entertainment breach
    led to debates over data security, free speech, and corpo-
    rate management as well as the details of celebrity feuds
    and paychecks. The idea of cybersecurity is rising to the
    fore of our collective consciousness. Notable cybersecuri-
    ty breaches, including those at Target, Anthem BlueCross,
    and the U.S. Offi ce of Personnel Management, have dem-
    onstrated that no organization or individual is immune to
    cyberthreat. In short, the cybersecurity environment has
    changed dramatically over the past several years, and
    many of us have struggled to keep up. Many fi rms now
    fi nd themselves in an environment where one of their
    greatest business risks is cyber risk, a risk that has rapidly
    risen from an afterthought to primary focus.
    How do we create more opportunity and a safer world
    while protecting privacy in an interconnected world? This
    question is not just for policy makers in government and
    leaders of global Fortune 500 businesses. It affects the
    neighborhood small business, the academic community,
    investors and, of course, our children.
    Answering that question requires an understanding of
    the three Ts—technology, threat, and trust. Why? Because
    these are big interrelated ideas that have a signifi cant
    effect on business strategy, policy, and public opinion. For
    starters, you need to know about the three Ts, think about

    ■ 10
    technology and are thriving. Still, the advan-
    tage lies with the fi rms who not only
    embraced the Internet but also built their
    entire business around it: Amazon, Google,
    and Uber. Finally, there is Apple, which
    came of age with the Internet and morphed
    into a wildly successful global leader with
    the introduction of the iPhone.
    There have been applications for these
    technologies, with signifi cant impact, in a
    variety of industries. In transportation, Uber
    is a great example of transforming a perva-
    sive but sedentary sector into a newly reimag-
    ined market. Uber used emerging technolo-
    gies to disrupt seemingly distinct segments
    such as auto rental and even automotive
    manufacturing. In the electrical sector, smart
    meters, transformers, and switches have
    given utilities greater control over their distri-
    bution networks while their customers have
    gained greater control of their consumption.
    However, the golden age of innovation
    has a dark side. A new class of “bad guys”
    has emerged and is taking advantage of
    “holes” in these new technologies and our
    online behavior to create new risks. This
    leads us to the second T—Threat.
    ■ Threat
    It is almost cliché to talk about the pervasive-
    ness and escalating impact of cybersecurity
    attacks. However, it is useful to provide a
    map that can help us better understand
    where we may be heading to help us prepare
    and to develop more lasting defenses.
    Using a simple x-y graph, we can create an
    instructive map, in which x represents the
    severity of the impact and y the “actor” or
    perpetrator. Impact can be divided into the
    following stages: embarrassment, theft,
    destruction to a target fi rm or asset, and wide-
    spread destruction. The actors also can be
    grouped into four escalating stages: individu-
    als, hacktivists, cyber organized crime, and
    nation-states. See Figure 1. Given the impor-
    tance of understanding threat, business lead-
    ers should understand how the map applies
    to their business. To aid in this understand-
    ing, it is useful to cover a few examples that
    illustrate various stages of these threats.
    them, and decide how you are going to
    embrace the fi rst, deal with the second, and
    shape the last.
    ■ Technology
    Today we live in a golden age of innovation
    driven by technologies that dominate
    headlines—cloud computing, mobility, big
    data, social media, open source software, vir-
    tualization, and, most recently, the Internet of
    Things. These tectonic shifts allow individu-
    als, government, and companies to innovate
    and reinvent how they interact with each
    other. These forces mandate that we redefi ne
    what, how, and where we manage any busi-
    ness. We need to challenge core assumptions
    about markets, company culture, and the art
    of the possible. The winners will be those
    who leverage these innovations to reduce
    costs and deliver better, lower-priced prod-
    ucts. Take Table 1 below, for example:
    It is easy to see the relationship between
    innovation and valuation. Some companies,
    such as Kodak, did not react fast enough
    and lost their market as a result. Others,
    such as AT&T, have invested heavily in new
    A good reputation
    TABLE Market capitalization
    (or private estimates, USD
    in millions)
    3/31/2005 3/31/2015
    Amazon $13,362 $207,275
    Apple $30,580 $752,160
    Google $64,180 $378,892
    Uber N/A $41,000
    AT&T $78,027 $175,108
    Citigroup $244,346 $165,488
    $388,007 $274,771
    Kodak $6,067 $794
    Sources: Capital IQ, Fortune

    11 ■
    work of criminals operating in Eastern
    Europe, netted 40 million credit and debit
    card numbers and 70 million customer
    records and was largely responsible for the
    company’s 46 percent drop in profi t in Q4 of
    2013 when compared to 2012.2 The attack
    also resulted in a serious decline in the com-
    pany’s stock price and led the company’s
    board to fi re their CEO. The attack is esti-
    mated to have netted its perpetrators
    approximately $54 million in profi t from the
    sale of stolen card details on black market
    sites—quite the motivation for a criminal
    Another high-profi le attack, directed
    against Sony Pictures Entertainment, is
    alleged to have been the work of hackers sup-
    ported by the government of North Korea.
    The attackers managed to secure not only a
    copy of The Interview, which had offended
    and motivated the North Korean state, but
    also a vast trove of data from the corporate
    network, including the personal and salary
    In 2011, a high-profi le attack was under-
    taken by Anonymous, the prominent
    “hacktivist” collective, in which it attacked
    the security services fi rm HBGary Federal.
    The attack was precipitated by HBGary’s
    CEO, Aaron Barr, claiming in a Financial
    Times article that his fi rm had uncovered
    the identities of Anonymous leaders and
    planned on releasing these fi ndings at a
    security conference in San Francisco the fol-
    lowing week.1 Anonymous responded by
    hacking into HBGary’s networks, eventually
    posting archives of company executives’
    emails on fi le-sharing websites, releasing a
    list of the company’s customers, and taking
    over the fi rm’s website. Although the attack
    did affect HBGary fi nancially, Anonymous’
    primary motivation was to embarrass
    Aaron Barr and HBGary.
    More recent attacks have been perpetrat-
    ed by better-organized criminal gangs and
    have had a greater impact. For instance, the
    Target breach, believed to have been the
    Embarrass Steal
    operations and
    destroy property
    business and
    future earnings
    and destruction
    R JPMorganChase
    Saudi Aramco

    ■ 12
    ■ Trust
    One of the greatest casualties in the ever-
    increasing torrent of cyberthreats is trust—
    specifi cally, the trust consumers have in
    business, the trust citizens and business
    have in government, and the trust govern-
    ment has in business. This should be trou-
    bling for all corporate executives and gov-
    ernment leaders because trust is precious to
    all relationships and is critical to effective
    workings of commerce and government. As
    we know, it takes years to build, but it is easy
    to lose. For instance, a single data breach can
    undo years of effort and cause immediate
    and lasting reputation loss.
    Measuring trust
    Recent consumer surveys suggest that con-
    sumers are tired of dealing with fraudulent
    charges and are raising their expectations for
    how their favorite brands and websites pro-
    tect consumer data and personally identifi a-
    ble information. In May 2015, Pew Research
    released a study in which 74 percent of
    Americans said it was “very important” to
    be “in control of who can get info about
    you.” Edelman, one of the world’s largest
    public relations fi rms, does an annual study
    called The Trust Barometer. The 2015 edition
    of this survey showed a huge jump in the
    importance consumers place in privacy of
    their personal data. The study revealed that
    80 percent of consumers, across dozens of
    countries and industries, listed this as a top
    issue in evaluating brands they trust. Finally,
    HyTrust, an emerging technology company,
    published a study on the impact of a cyber
    breach on customer loyalty and trust. Of the
    2,000 consumers surveyed, 52 percent said a
    breach would cause them to take their busi-
    ness elsewhere.3 What business can afford to
    lose 50 percent of its customers?
    What these numbers make clear is that con-
    sumers are paying attention to cybersecurity
    issues and that failure to address these con-
    cerns comes at a company’s own risk. Recent
    attacks have served as learning moments for
    many companies and consumers, allowing
    them to gain a fi rmer understanding of just
    details of tens of thousands of employees,
    internal email traffi c, and other highly sensi-
    tive information. The attack led the company
    to delay the release of its big-budget fi lm, and
    it generated weeks of headlines. The attack
    also forced the company to take a variety of
    computer systems offl ine. Although the long-
    term impact of the attack is unclear, it has had
    a dramatic impact on the studio’s reputation,
    stock price, and earnings.
    What is next? In the future, we can expect
    a continued rise in the severity of cyberthreats.
    Well-fi nanced criminal gangs and well-
    resourced nation-states appear to be increas-
    ingly capable and willing to engage in attacks
    that cause signifi cant damage.
    Boards and risk
    After the initial shock of “how is this possi-
    ble,” every business leader has to consider
    what it means for his or her business. Just a
    few years ago, many viewed cybersecurity
    threats as a technical problem best left to the
    company CIO or CISO. Increasingly, CEOs
    and boards are coming to the realization
    cybersecurity threats are a business risk that
    demands C-level and board scrutiny.
    Corporate boards have begun to look at
    cybersecurity risk in much the same way
    they would look at other risks to their busi-
    ness, applying risk management frame-
    works while evaluating the likelihood and
    impact of cyber risk. Boards also have begun
    to look at ways to transfer their risk, leading
    insurance companies to offer cybersecurity
    insurance products. In their evaluation of
    cyber risk, companies are also taking a hard
    look at the second order effects of a cyberat-
    tack, notably the ability for a successful
    attack to undermine customers’ trust in the
    company. A successful attack often leads to
    the revelation of sensitive, personally identi-
    fi able information on customers, eroding
    consumer confi dence in the fi rm. Many of
    the commonly understood risk management
    frameworks and related insurance products
    now being used recognize this and make it
    clear that corporate boards must have a thor-
    ough understanding of the third T, Trust.

    13 ■
    develop cyber risk mitigation products. Many
    of the insurance industry’s largest players,
    including Allstate, Travelers, Marsh, and
    Tennant, have moved to offer companies
    cyber insurance products, although the imma-
    turity of the market has created complications
    for insurers and potential customers. Insurers
    have had a hard time calculating their risk and
    thus appropriate premiums for potential cus-
    tomers, while customers have sometimes
    found their insurance quotes too expensive.
    Fortunately, time and the accompanying set-
    tling of industry standards and actuarial data
    will help to mature and grow this market.
    Role of government
    Effective risk management—for govern-
    ments or private enterprises—starts with an
    honest understanding of the situation and
    recognition that information sharing with
    partners is essential. Information sharing, of
    course, starts with agreeing on common val-
    ues, and then trusting vetted, capable, and
    reliable partners. Information sharing can be,
    and must be, something that takes place at
    and across all levels. The Constitution charg-
    es the federal government with the responsi-
    bility of providing for the defense of the
    nation while protecting the privacy and civil
    liberties of our citizens, a diffi cult balance
    that requires trust in the government and
    processes by which we reach that balance.
    As we discuss the role of government in
    information sharing and building trust, we
    have to acknowledge the impact the
    Snowden revelations have had on public
    trust in government. Fundamentally, we
    have to determine what we want the role of
    government to be and engage in legal
    reforms that refl ect that role. Laws such as
    the Computer Fraud and Abuse Act, enacted
    in 1986 and amended fi ve times since then,
    and the Electronic Controls Privacy Act
    (ECPA), which dates to 1986, have to be
    updated to refl ect the signifi cant changes in
    technology and practice that have occurred
    since they were envisioned.
    Beyond these efforts, we need to establish
    or reinforce agreed-upon rules and programs
    how damaging such an attack can be. However,
    with this knowledge comes increased expecta-
    tions for how companies safeguard their data
    and that of their consumers.
    Role of industry
    Fortunately, industry is moving in this direc-
    tion, and many companies have begun to
    consider cyber risk in their corporate plan-
    ning. In 2014, the National Association of
    Corporate Directors issued a call to action,
    which included fi ve steps that its members
    should take to ensure their enterprises prop-
    erly address cyber risk. These include the
    � Treating cyber risk as an enterprise risk
    � Understanding the legal implications of
    cyber risks
    � Discussion of cyber risk at board
    meetings, giving cyber risk equal footing
    with other risks
    � Requiring management to have a
    measureable cybersecurity plan
    � The development of a plan at the board
    level on how to address cyber risks,
    including which risks should be avoided,
    accepted, mitigated, or transferred via
    Although this guidance is an excellent start,
    we at The Chertoff Group believe that indus-
    try has to go further and move toward a
    common cyber risk management framework
    that allows everyone to understand the
    cyber risks to a business and how the com-
    pany intends to address them. This model
    would be a corollary to the General Accepted
    Accounting Principles (GAAP), the standard
    accounting guidelines and framework that
    underlies the fi nancials and planning of
    almost any business. The emergence of
    GAAP in the 1950s made it signifi cantly
    easier for investors, regulators, and other
    stakeholders to gain a clear understanding
    of a business and its fi nancials, allowing for
    comparisons across industries and sectors.
    In parallel, banks, insurers, and other pro-
    viders of risk mitigation are scrambling to

    ■ 14
    for government data collection on citizens
    and the legal frameworks that manage the
    transfer of that data between governments
    for judicial and law enforcement purposes.
    Importantly, this initiative must provide for
    mutual accountability for all participants.
    These initiatives have to lay out clearly the
    roles of all participants and, in our opinion,
    reinforce and strengthen the role for NSA in
    helping this nation deal with the adversaries
    that are using information technology to
    harm us.
    On the international front, in response to
    mounting concerns over data privacy, data
    security and the rise of online surveillance,
    governments around the world have been
    seeking to pass new data protection rules.
    Several governments, including Germany,
    Indonesia, and Brazil, have considered
    enacting “data localization” laws that would
    require the storage, analysis, and processing
    of citizen and corporate data to occur only
    within their borders.
    However, many of these proposals are
    likely to impose economic harm and sow
    seeds of distrust. For example, several of the
    proposals under consideration would force
    companies to build servers in locations
    where the high price of local energy and the
    lack of trained engineers could translate into
    higher costs and reduced effi ciencies.
    Furthermore, requiring that data reside in a
    server based in Germany instead of one in
    Ireland will do little to prevent spies from
    accessing that data if they are determined
    and capable.
    So, what should we do? It is critical that
    policymakers and technology providers
    work together to develop solutions that keep
    online services available to all who rely on
    them. We must develop principles that can
    serve as a framework for coordinated multi-
    lateral action between states and across the
    public and private sectors. We must be pre-
    pared to lead abroad and at home with effec-
    tive ideas.
    Public private partnerships (PPPs) are
    important pieces of the solution and are
    good models of trust that we should lever-
    age going forward. First, the formation of
    Information Sharing and Analysis Centers
    (ISACs) was a Clinton Administration initia-
    tive to build PPPs across critical infrastruc-
    ture sectors. These sector-by-sector ISACs
    have proven to be models of trust. The
    Financial Services ISAC has truly epito-
    mized these ideas and is considered by
    many to be the leading ISAC in sharing
    threat information. This model has been rep-
    licated in other industries and led President
    Obama to call for an expansion of the infor-
    mation sharing model to smaller groups of
    companies through Information Sharing and
    Analysis Organizations (ISAOs). Another
    example is a U.S. government-industry ini-
    tiative to combat botnets, in which the gov-
    ernment is working with the Industry Botnet
    Group to identify botnets and minimize
    their impacts on personal computers.
    ■ Technology, threat, and trust in the
    What do the three Ts of the cyber economy
    mean for you? Here are just a few of the
    questions every leader has to consider:
    � Are we using technology for competitive
    � Are we secure? How do you know? Do we
    have a framework, a GAAP-equivalent
    for cyber risk, that gives me the tools to
    understand and measure risk?
    � Are we a good steward of the data we
    collect about our customers?
    Each of us needs answers to these questions.
    Your response will have a big impact on the
    future of your organization.
    A few years ago, there was a common
    story in security circles about two types of
    companies: those who knew they had been
    hacked and those who had been hacked but
    did not know it. Going forward, we will talk
    about companies in terms of who cares
    about cybersecurity: in some companies, it
    will be the entire executive suite; in others,
    it will just be the CISO or CIO. Your com-
    pany doesn’t want to fall into the latter cat-
    egory. Use the three Ts to help your organi-
    zation manage cyber risk and leverage the

    SecurityRoundtable.org 15 ■
    3. See “Consumers Increasingly Hold
    Companies Responsible for Loss of
    Confi dential Information, HyTrust Poll
    Shows,” HyTrust, October 1, 2014, Available
    at http://www.hytrust.com/company/
    n e w s / p r e s s – r e l e a s e s / c o n s u m e r s –
    loss-confi dential-info, Additional survey
    data available at http://www.hytrust.
    c o m / s i t e s / d e f a u l t / f i l e s / H y Tr u s t _
    consumer_poll_results_with_charts2 .
    fantastic opportunities in this golden age of
    Works Cited
    1. See Joseph Menn, “Cyberactivists warned
    of arrest,” The Financial Times, February
    5, 2011, Available at http://www.ft.com/
    c m s / s / 0 / 8 7 d c 1 4 0 e – 3 0 9 9 – 11 e 0 – 9 d e 3 –
    2. See Maggie McGrath, “Target Profi t Falls
    46% On Credit Card Breach And The Hits
    Could Keep On Coming,” Forbes, February
    26, 2014, Available at http://www.forbes.

    17 ■
    Georgia Institute of Technology, Institute for Information
    Security & Privacy – Jody R. Westby, Esq., Adjunct Professor
    Cyber governance best practices
    ■ The evolution of cybersecurity governance
    Corporate governance has evolved as a means of protect-
    ing investors through regulation, disclosure, and best
    practices. The United Nations Guidance on Good Practices
    in Corporate Governance Disclosure noted:
    Where there is a local code on corporate governance,
    enterprises should follow a “comply or explain” rule
    whereby they disclose the extent to which they fol-
    lowed the local code’s recommendations and explain
    any deviations. Where there is no local code on corpo-
    rate governance, companies should follow recognized
    international good practices.1
    The Business Roundtable (BRT), one of America’s most
    prominent business associations, has promoted the use of
    best practices as a governance tool since it published its
    fi rst Principles of Corporate Governance in 2002. In its 2012
    update, BRT noted:
    Business Roundtable continues to believe, as we noted
    in Principles of Corporate Governance (2005), that the
    United States has the best corporate governance,
    fi nancial reporting and securities markets systems in
    the world. These systems work because of the adop-
    tion of best practices by public companies within a
    framework of laws and regulations that establish
    minimum requirements while affording companies
    the ability to develop individualized practices that are
    appropriate for them. Even in the challenging times
    posed by the ongoing diffi cult economic environment,
    corporations have continued to work proactively to
    refi ne their governance practices, and develop new
    practices, as conditions change and “best practices”
    continue to evolve.2

    ■ 18
    17799 and then ISO/IEC 27001.8 ISO/IEC
    27001 is the most accepted cybersecurity
    standard globally.
    Today, the ISO/IEC 27000 series of infor-
    mation security standards is comprised of
    nearly 30 standards. ISO, of which the
    American National Standards Institute
    (ANSI) is the member body representing U.S.
    interests for the development of international
    standards, has additional information secu-
    rity standards outside of the 27000 series.9
    ISO information security standards cover a
    range of topics, such as security controls, risk
    management, the protection of personally
    identifi able information (PII) in clouds, and
    control systems. Additional security stand-
    ards also have been developed for fi nancial
    services, business continuity, network secu-
    rity, supplier relationships, digital evidence,
    and incident response.10
    The U.S. National Institute of Standards
    and Technology (NIST) has developed a
    comprehensive set of cybersecurity guid-
    ance and Federal Information Processing
    Standards (FIPS),11 including a Framework
    for Improving Critical Infrastructure
    Cybersecurity (Framework).12 The NIST
    guidance and standards are world-class
    materials that are publicly available at no
    charge. NIST recognized existing standards
    and best practices by mapping the
    Framework to ISO/IEC 27001 and COBIT.
    Other respected cybersecurity standards
    have been developed for particular purpos-
    es, such as the protection of credit card data
    and electrical grids. The good news is that
    cybersecurity best practices and standards
    are harmonized and requirements can be
    mapped. This is particularly important
    because as companies buy and sell operating
    units or subsidiaries or merge, they may
    have IT systems and documentation based
    upon several standards or best practices.
    Thus, the harmonization of standards ena-
    bles companies to blend IT departments and
    security programs and continue to measure
    Some companies may need to align with
    multiple standards. For example, electric
    transmission and distribution companies
    Increases in cybercrime and attacks on corpo-
    rate systems and data have propelled discus-
    sions regarding governance of cyber risks
    and what exactly boards and senior execu-
    tives should be doing to properly manage
    this new risk environment and protect corpo-
    rate assets. The topic reached a crescendo in
    May 2014 when the Institutional Shareholder
    Service (ISS) called for seven of the ten Target
    board members not to be re-elected on the
    grounds that the failure of the board’s audit
    and corporate responsibility committees “to
    ensure appropriate management of these
    risks set the stage for the data breach, which
    has resulted in signifi cant losses to the com-
    pany and its shareholders.”3
    Over the past decade, the concept of cyber-
    security governance has evolved from infor-
    mation technology (IT) governance and
    cybersecurity best practices. The Information
    Systems Audit and Control Association
    (ISACA) has been a frontrunner in IT govern-
    ance best practices with the COBIT (Control
    Objectives for Information and Related
    Technology)4 framework. ISACA founded the
    IT Governance Institute (ITGI) in 1998 to
    advance the governance and management of
    enterprise IT. The ITGI defi nes IT governance:
    IT governance is the responsibility of the
    board of directors and executive manage-
    ment. It is an integral part of enterprise
    governance and consists of the leadership
    and organisational structures and pro-
    cesses that ensure that the organisation’s
    IT sustains and extends the organisation’s
    strategies and objectives.5
    Gartner has a similar defi nition.6
    ■ Cybersecurity program standards and best
    As IT systems became vulnerable through
    networking and Internet connectivity, secur-
    ing these systems became an essential ele-
    ment of IT governance. The fi rst cybersecu-
    rity standard was developed by the British
    Standards Institute in 1995 as BS 7799. Over
    time, this comprehensive standard proved
    its worth and ultimately evolved into ISO

    19 ■
    important to understand the breadth and
    reach of the standard and to choose one that
    meets the organization’s security and compli-
    ance needs.
    ISO/IEC 27001, which can be obtained
    from ANSI at http://webstore.ansi.org, is a
    comprehensive standard and a good choice
    for any size of organization because it is
    respected globally and is the one most
    commonly mapped against other stand-
    ards. One should not make the mistake of
    believing that all standards contain a full
    set of requirements for an enterprise secu-
    rity program; they do not. Some standards,
    such as NERC-CIP or PCI, set forth security
    requirements for a particular purpose but
    are not adequate for a full corporate secu-
    rity program.
    will need to meet the North American
    Electric Reliability Corporation Critical
    Infrastructure Protection (NERC-CIP) stand-
    ards, as well as the Payment Card Industry
    Data Security Standard (PCI DSS) if they
    take credit cards, and some other broad
    security program standard, such as ISO/IEC
    27001 or NIST for their corporate operations.
    Even with harmonization, it is important
    that companies choose at least one standard to
    align their cybersecurity program with so pro-
    gress and security maturity can be measured.
    In determining which standard to use as a
    corporate guidepost, organizations should
    consider the comprehensiveness of the stand-
    ard. Although standards requirements may be
    mapped, each standard does not contain the
    same or equivalent requirements. Thus, it is
    Leading cybersecurity standards and best practices include:
    � The International Organization for Standardization (ISO), the information security series,
    active_tab=standards&sort_by=rel (also available from ANSI at http://www.ansi.org)
    � The American National Standards Institute (ANSI)—the U.S. member body to ISO.
    Copies of all ISO standards can be purchased from ANSI at http://webstore.ansi.org/
    � National Institute of Standards and Technology (NIST) Special Publication 800 (SP-800)
    series and Federal Information Processing Standards (FIPS), http://csrc.nist.gov/
    � Information Technology Infrastructure Library (ITIL), http://www.itlibrary.org/.
    � International Society of Automation (ISA), https://www.isa.org/templates/two-
    � Information Systems Audit and Control Association (ISACA), the Control Objectives
    for Information and Related Technology (COBIT), http://www.isaca.org/cobit/pages/
    � Payment Card Industry Security Standards Council (PCI SSC), https://www.
    � Information Security Forum (ISF) Standard of Good Practice for Information Security,
    � Carnegie Mellon University’s Software Engineering Institute, Operationally Critical
    Threat, Asset, and Vulnerability Evaluation (OCTAVE), http://www.cert.org/resilience/
    � Health Insurance Portability and Accountability Act (HIPAA) regulations for security
    programs, http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/
    � North American Electric Reliability Corporation Critical Infrastructure Protection
    (NERC-CIP), http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
    � U.S. Nuclear Regulatory Commission, Regulatory Guide 5.71, Cyber Security Programs
    for Nuclear Facilities, https://scp.nrc.gov/slo/regguide571

    ■ 20
    necessarily extends this duty to include the
    protection of the organization’s digital assets
    (data, networks, and software). As a conse-
    quence, the governance of cyber risks has
    become increasingly important for boards of
    directors and senior management. This
    includes exercising good risk management,
    validating the effectiveness of controls, and
    ensuring compliance requirements are met.
    An increase in shareholder derivative
    suits against D&Os for failure to protect
    against breaches also has heightened atten-
    tion on cybersecurity at the board and senior
    management level. Target was hit with share-
    holder derivative suits for failure to protect
    the company and its data from a breach,13 as
    was Wyndham Hotels on similar grounds.14
    In addition, cybersecurity has become an
    important compliance issue that carries the
    risk of headlines concerning enforcement
    actions, investigations, and breaches of per-
    sonally identifi able information. Several state
    and federal laws impose privacy and securi-
    ty requirements on targeted industry sec-
    tors and types of data. For example, the
    Gramm-Leach-Bliley Act (GLBA), the Health
    Insurance Portability and Accountability Act
    (HIPAA), the Health Information Technology
    for Economic and Clinical Health Act
    (HITECH Act), and state breach laws impose
    specifi c requirements pertaining to the secu-
    rity and privacy of data and networks.
    So, what does cyber governance mean?
    What actions should board members be tak-
    ing? Who should be involved—the entire
    board or just certain committees? Cyber gov-
    ernance means more than D&Os periodically
    asking interesting questions or receiving
    reports regarding the company’s cybersecu-
    rity program. There is now an international
    standard, ISO/IEC 27014, on the governance
    of information security, which sets out roles
    and responsibilities for executive manage-
    ment and boards of directors and is applica-
    ble to all types and sizes of organizations.
    The standard notes:
    [G]overnance of information security
    provides a powerful link between an
    organization’s governing body, executive
    Some information security standards,
    such as NERC-CIP, U.S. Nuclear Regulatory
    cybersecurity requirements, PCI standards
    for credit card data, and HIPAA security
    requirements are mandatory. Portions of
    NIST guidance are mandatory for federal
    government contractors and U.S. govern-
    ment agencies and departments. The remain-
    der of the standards listed are voluntary.
    In addition to the leading cybersecurity
    standards listed in the shaded box, additional
    standards have been developed for certain
    industry sectors because they require height-
    ened security protections. For example, ISO/
    IEC 27015 was developed as additional secu-
    rity requirements for fi nancial organizations;
    ISO/IEC 27799 was developed for informa-
    tion security in health systems using ISO/IEC
    27002 (the controls portion of ISO/IEC 27001);
    27011 was developed for telecommunications
    systems using ISO/IEC 27002; and ISO/IEC
    27019 was developed for industrial control
    system security for the energy utility industry.
    The value of using a standard as a guide-
    post for the development, maintenance, and
    maturity of a security program is that it sets
    forth best practices for cybersecurity and is
    updated as required to meet changing
    threats, technological innovation, and com-
    pliance requirements. Standards also enable
    boards and senior executives to understand
    how comprehensive their organization’s
    security program is and provide an objective
    basis for audits and cybersecurity assess-
    ments. Evaluating a cybersecurity program
    against a leading standard enables an organ-
    ization to measure progress, assess the effec-
    tiveness of controls, identify gaps and defi –
    ciencies, and measure program maturity.
    ■ Cyber governance standards and best practices
    Cyber governance standards and best prac-
    tices have evolved over the past 20 years as
    companies have increased connectivity to the
    Internet and networks and as cyberattacks
    have continued to rise. Directors and offi cers
    (D&Os) have a fi duciary duty to protect the
    organization’s assets and the value of the cor-
    poration. The increased dependence on IT
    systems and data in corporate operations

    21 ■
    and compliance obligations, reputational
    risks, business interruption, and fi nancial
    losses; allocate the resources needed for the
    risk-based approach.
    3. “Set the direction of investment decisions”:
    establish an information security
    investment strategy that meets business
    and security requirements; integrate
    security considerations into existing
    business and investment processes.
    4. “Ensure conformance with internal and
    external requirements”: ensure policies
    and procedures incorporate legal,
    regulatory, and contractual obligations;
    routinely audit such compliance.
    5. “Foster a security-positive environment”:
    accommodate human behavior and
    the needs of users; promote a positive
    information security environment through
    training and tone from the top.
    6. “Review performance in relation to
    business outcomes”: ensure the security
    program supports business requirements,
    review impact of security on business as
    well as controls.18
    ISO/IEC 27014 sets forth separate roles and
    responsibilities for the board and executive
    management within fi ve processes: Evaluate,
    Direct, Monitor, Communicate, and Assure.
    These are set forth in abbreviated form in the
    following table.19
    management and those responsible for
    implementing and operating an informa-
    tion security management system. It pro-
    vides the mandate essential for driving
    information security initiatives through-
    out the organization.15
    The objectives of the standard are to align
    security program and business objectives
    and strategies, deliver value to stakeholders
    and the board, and ensure information risks
    are adequately managed.16
    The difference between IT governance
    and information security governance is that
    the latter is focused on the confi dentiality,
    integrity, and availability of information,
    whereas governance of IT is focused on the
    resources required to acquire, process, store,
    and disseminate information.17 ISO/IEC
    27014 sets forth six principles as foundation
    for information security governance:
    1. “Establish organization-wide information
    security”: information security activities
    should encompass the entire organization
    and consider the business, information
    security, physical and logical security, and
    other relevant issues.
    2. “Adopt a risk-based approach”:
    governance decisions should be based on
    the risk thresholds of a company, taking
    into account competitiveness issues, legal
    Board of directors Executive management
    Ensure business initiatives take information
    security into consideration
    Ensure information security supports
    business objectives
    Review reports on information security
    performance, initiate prioritized actions
    Submit new security projects with
    signifi cant impact for board review
    Establish risk thresholds of organization Ensure security and business objectives are
    Approve security strategy and overarching
    Develop security strategy and overarching
    Allocate adequate resources for security
    Establish a positive culture of cybersecurity

    ■ 22
    is IT-focused, however, and does not men-
    tion the roles and responsibilities of chief
    information security offi cers (CISOs). The
    separation of the role of the chief informa-
    tion security offi cer from the chief informa-
    tion offi cer (CIO) (in other words, not having
    the CISO report to the CIO), is a best practice
    that the Board Briefi ng ignores. It assigns all
    responsibilities to the CIO, IT Strategy
    Committee, IT Steering Committee, IT
    Architecture Review Board, and Technology
    Council. Nevertheless, it is a valuable
    resource for boards and executive teams
    seeking to implement good cyber govern-
    ance practices.
    Finally, Carnegie Mellon University’s
    Software Engineering Institute developed the
    Governing for Enterprise Security Implementation
    Guide in 2007 as a guide for boards and execu-
    tives on governing enterprise security pro-
    grams.21 It is still quite instructive and includes
    a model organizational structure for cyber
    ■ Beyond ISO/IEC 27014: Other best practices
    and guidance
    At present, the only guidance NIST has
    developed that addresses information secu-
    rity governance is its 2006 Special Publication
    800-100, Information Security Handbook: A
    Guide for Managers. This publication, how-
    ever, is written for a federal audience and is
    more technical than other materials directed
    toward boards and senior executives.
    ISACA’s IT Governance Institute updated
    its Board Briefi ng on IT Governance in 2014,20
    which sets forth an approach similar to ISO/
    IEC 27014, but is based on ISACA’s COBIT
    best practices. The Board Briefi ng includes
    questions board members should ask and
    also checklists, tool kits, roles and responsi-
    bilities, and other helpful materials. The
    Board Briefi ng focuses on fi ve activity areas:
    Strategic Alignment, Value Delivery, Risk
    Management, Resource Management, and
    Performance Measurement. The publication
    Board of directors Executive management
    Assess effectiveness of security program Determine appropriate metrics for security
    Ensure compliance and legal obligations
    are met
    Provide input to board on security
    performance results, impacts on
    Evaluate changes to operations, legal
    frameworks, and impact on information
    Keep board apprised of new developments
    affecting information security
    Report to investors/shareholders on
    whether information security is adequate
    for business
    Inform board of security issues that require
    their attention
    Provide results of external audits or reviews
    and identifi ed actions to executive team
    Ensure board’s actions and decisions
    regarding security are acted upon
    Recognize compliance obligations, business
    needs, and expectations for information
    Order independent reviews/audits of
    security program
    Support reviews/audits commissioned by

    23 ■
    members to become inundated in technical
    data and issues and lose sight of the major
    risks that must be managed. In part, CIOs
    and CISOs need to develop better executive
    and board communication skills when
    reporting on cybersecurity program activi-
    ties and incidents. Outside experts can also
    help separate which cybersecurity govern-
    ance issues should be directed to the execu-
    tive management team and which are for
    board consideration.
    Once the critical vulnerabilities that
    require board and executive attention have
    been identifi ed, the next step is to deter-
    mine the information fl ows that are needed
    to keep the board and senior management
    informed and enable informed decision-
    making. These two steps—identifi cation of
    cyber-related vulnerabilities and associ-
    ated information flows—should be fol-
    lowed by an analysis of the board’s and
    senior management’s roles in incident
    response and business continuity/disaster
    The Target breach revealed how disas-
    trous it can be when a company’s executive
    team and board are not prepared to manage
    a major cybersecurity incident. The breach
    was clever but not terribly diffi cult to recov-
    er from; as ISS pointed out so clearly, it was
    Target’s executive team and board who
    failed to protect the company’s data and
    ensure a robust incident response plan was
    in place that involved their participation.
    Cybersecurity governance is an area
    where an independent adviser can provide
    valuable guidance to a board and executive
    team by reviewing available reports and
    assessing the current state of the security
    program, identifying key vulnerabilities
    and associated information fl ows that
    should be directed to the board, advising on
    the threat environment, and establishing
    the proper organizational structures for
    effective cybersecurity governance. These
    activities should be undertaken in a collab-
    orative fashion with IT and security leaders
    and in the spirit of helping them gain visi-
    bility and support for security program
    governance; composition of a cross-
    organizational privacy/security committee;
    sample mission, goals, and objectives for a
    board Risk Committee; and an explanation of
    the critical activities in an enterprise security
    program, including who should lead and be
    involved in them, and the outputs (artifacts)
    to be developed. It indicates where the board
    has a role for governance oversight and sets
    forth roles and responsibilities for the critical
    players, as well as shared responsibilities, for
    the following:
    � chief security offi cer/chief information
    security offi cer
    � chief privacy offi cer
    � chief information offi cer
    � chief fi nancial offi cer
    � general counsel
    � business line executives
    � human resources
    � public relations
    � business managers
    � procurement
    � operational personnel
    � asset owners
    � certifi cation authority.
    ■ Additional considerations in cybersecurity
    Board structure plays a signifi cant role in
    cybersecurity governance. A Risk Committee
    is the best choice for governance of cybersecu-
    rity because IT risks must be managed as
    enterprise risks and integrated into enterprise
    risk management and planning. Many compa-
    nies place all oversight for cybersecurity in the
    board Audit Committee, which can substan-
    tially increase the workload of that committee.
    Placing cyber governance with the Audit
    Committee also creates segregation of duties
    issues at the board level because the Audit
    Committee is auditing the security program,
    determining remediation measures, and then
    auditing this work the following year.
    One of the most important aspects of
    cybersecurity governance is the identifi ca-
    tion of vulnerabilities that could have a
    material impact on corporate operations
    and/or bottom line. It is easy for board

    ■ 24
    12. Evaluate the adequacy of cyber
    insurance against loss valuations and
    ensure adequate risk strategies are in
    place for cyber risks.
    Many organizations also are struggling
    with how to integrate cybersecurity into
    their enterprise risk management process.
    Most business operations today are
    dependent upon IT systems and the confi –
    dentiality, availability, and integrity of their
    data. Following are another dozen guiding
    points on integrating cyber risks into enter-
    prise risk management.:
    A dozen best practices for integrating cybersecurity into
    enterprise risk management
    1. Understand the business’s strategies,
    objectives, and needs for IT and data.
    2. Inventory assets (data, applications,
    hardware), assign ownership,
    classifi cation, and risk categorization.
    3. Map legal requirements to data for all
    4. Evaluate the security of vendors, business
    partners, and supply chain linkages.
    5. Align the cybersecurity program with
    best practices and standards.
    6. Ensure controls are determined and
    metrics identifi ed.
    7. Conduct a risk assessment to establish a
    baseline for cyber risk management.
    8. Develop cyber risk strategies (block the
    risk, cyber insurance, other compensating
    controls, all of these).
    9. Design system architecture to
    accommodate business goals and
    objectives, meet security and legal
    requirements, and detect or prevent
    unauthorized usage.
    10. Use technical tools and services to
    provide integrated data on threats and
    11. Make cyber training and security
    compliance part of annual performance
    reviews for all personnel.
    12. Stay abreast of innovation and changes
    in the threat environment as well as
    changing operational requirements.
    ■ Dutiful dozen
    There are some actions that boards can take
    to ensure they are managing cyber risks
    and meeting their fi duciary duty. Following
    is a list of a dozen actions that are within
    best practices, which can be used as a start-
    ing point and checklist for governance
    A dozen best practices for cyber governance
    1. Establish a governance structure with
    a board Risk Committee and a cross-
    organizational internal team.
    2. Identify the key cyber vulnerabilities
    associated with the organization’s
    3. Identify the security program activities
    over which boards and executives
    should exercise oversight, and identify
    the key information fl ows and reports
    that will inform board and executives on
    the management of cyber vulnerabilities
    and security program activities.
    4. Identify legal compliance and fi nancial
    exposures from IT systems and data.
    5. Set the tone from top that privacy and
    security are high priorities for the
    organization, and approve top-level
    policies on acceptable use of technology
    and compliance with privacy and
    security policies and procedures.
    6. Review the roles and the responsibilities
    of lead privacy and security personnel,
    and ensure there is segregation of duties
    between IT and security functions.
    7. Ensure that privacy and security
    responsibilities are shared, enterprise
    issues that apply to all personnel.
    9. Review and approve annual budgets for
    security programs.
    10. Review annual risk assessments, the
    maturity of the security program, and
    support continual improvement.
    11. Retain a trusted adviser to independently
    inform the board on changes in the
    threat environment, provide assistance
    on governance issues, and advise on
    response issues in the event of a major
    cyber incident.

    25 ■
    management of enterprise IT is available
    at http://www.isaca.org/cobit/pages/
    5. Board Briefi ng on IT Governance, IT
    Governance Institute, 2nd ed., 2014 at
    10, http://www.isaca.org/restricted/
    fi nal .
    6. Gartner, IT Glossary, “IT Governance,”
    7. The term “cybersecurity best practice”
    may be used interchangeably with
    “standard” in the cybersecurity context,
    as the standards embody best practices.
    The term “standard” is commonly used
    to refer to mandatory requirements.
    With respect to cybersecurity programs,
    however, there is no bright line between
    best practices and standards. Some
    standards, such as NERC-CIP and
    HIPAA, are mandatory for certain
    organizations, while other standards,
    such as ISO/IEC, are voluntary.
    Other standards, such as the Federal
    Information Processing Standards (FIPS)
    and NIST guidance (the 800 Special
    Publication series) are voluntary for
    some entities and mandatory for others.
    8. Wikipedia, “BS 7799,” https://en.
    9. International Organization for
    Standardization, Information Security,
    10. Id.
    11. National Institute of Standards and
    Technology, Computer Security Division,
    Computer Security Resource Center,
    h t t p : / / c s rc . n i s t . g o v / p u b l i c a t i o n s /
    12. Framework for Improving Critical
    Infrastructure Cybersecurity, National
    Institute of Standards and Technology,
    Version 1.0, Feb. 12, 2014, http://www.
    cybersecurity-framework-021214 .
    ■ Conclusion
    Best practices and standards now require
    boards and senior management to exercise
    governance over cybersecurity programs and
    associated risks. Laws such as Gramm-Leach-
    Bliley, the Health Insurance Portability and
    Accountability Act, and the Federal
    Information Security Management Act all
    require executive oversight of security pro-
    grams. Each organization’s operations, system
    architecture, policies and procedures, and
    culture vary, thus, cyber risk management has
    to be tailored to the organization. Boards
    should know what standards/best practices
    their organization is using to implement their
    security program and determine an approach
    for their own governance activities. Checklists
    and the use of ISO/IEC 27014, the ISACA
    Board Briefi ng on IT Governance, and the
    Carnegie Mellon University’s Governing for
    Enterprise Security Implementation Guide are all
    useful resources that will help ensure boards
    are meeting their fi duciary duty and protect-
    ing the assets of the organization.
    1. Guidance on Good Practices in Corporate
    Governance Disclosure, United Nations
    Conference on Trade and Development
    (UNCTAD), New York & Geneva, 2006,
    en .
    2. Principles of Corporate Governance 2012,
    Harvard Law School Forum on Corporate
    Governance and Financial Regulation,
    Aug. 17, 2012, http://corpgov.law.
    4. Elizabeth A. Harris, “Advisory Group
    Opposes Re-election of Most of Target’s
    Board,” The New York Times, May 28,
    2014, http://www.nytimes.com/
    board.html?_r=0 (quoting ISS report).
    4. COBIT is an acronym for Control
    Objectives for Information and Related
    Technology. Information on the COBIT
    5 framework for the governance and

    ■ 26 SecurityRoundtable.org
    16. Id. at 4.2. “Objectives.”
    17. Id. at 4.4. “Relationship.”
    18. Id. at 5.2. “Principles.”
    19. Id. at 5.3. “Processes.” The full
    requirements of the standard should be
    reviewed prior to use by an organization;
    ISO 27014 is available at http://www.iso.
    20. Board Briefi ng on IT Governance, IT
    Governance Institute, 2nd ed., 2014,
    h t t p : / / w w w. i s a c a . o rg / re s t r i c t e d /
    fi nal .
    21. Jody R. Westby & Julia H. Allen, Governing
    for Enterprise Implementation Guide,
    Carnegie Mellon University, Software
    Engineering Institute, 2007, http://
    g l o b a l c y b e r r i s k . c o m / w p – c o n t e n t /
    u p l o a d s / 2 0 1 2 / 0 8 / G o v e r n i n g – f o r –
    Enterprise-Sec-Impl-Guide .
    13. See, e.g., Kevin LaCroix, “Target Directors
    and Offi cers Hit with Derivative Suits
    Based on Data Breach,” Feb. 3, 2014,
    14. See, e.g., Jon Talotta, Michelle Kisloff, &
    Christopher Pickens, “Data Breaches Hit
    the Board Room: How to Address Claims
    Against Directors & Offi cers,” Hogan &
    Lovells, Chronicle of Data Protection, Jan.
    23, 2015, http://www.hldataprotection.
    15. ISO/IEC 27014 (2013), Governance
    of Information Security, “Summary,”

    27 ■
    Institutional Shareholder Services Inc. – Patrick McGurn,
    ISS Special Counsel and Martha Carter,
    ISS Global Head of Research
    Investors’ perspectives on cyber
    risks: Implications for boards
    Although pundits proclaimed 2014 as the “Year of the
    Data Breach” and a signifi cant “no” vote at Target’s
    annual meeting put directors on notice that sharehold-
    ers want to know about potential risks, few 2015 corpo-
    rate disclosure documents provide evidence that boards
    increased transparency with respect to cyber oversight.
    Despite prodding from top regulators and investors’
    calls for greater transparency, companies continue to fall
    short on disclosure in their key governance disclosure
    documents of cybersecurity risks and their board’s over-
    sight of them. Equally concerning is the limited infor-
    mation regarding cyber risk oversight provided by
    boards at a handful of fi rms that were the targets of
    2014’s most widely publicized breaches. Boards would
    benefi t from an understanding of investors’ perspec-
    tives and adoption of best practices in disclosure on
    cyber risks.
    ■ Target’s breach led to boardroom backlash
    Target’s high-profi le data breach made headlines world-
    wide. Despite this, neither Target’s 2014 proxy state-
    ment nor the company’s initial annual meeting-related
    engagement materials discussed in a meaningful way
    the massive data theft or the board’s responses to it. As
    part of its research process leading up to the annual
    meeting, Institutional Shareholder Services (ISS)
    engaged with members of the Target board to learn
    more about the directors’ oversight of cyber risks before
    and after the breach. In the end, ISS opined in its 2014
    annual meeting report on Target that the members of the
    board’s Audit and Corporate Responsibility committees
    had “failed to provide suffi cient oversight of the risks
    facing the company that potentially led to the data

    ■ 28
    lack of sharp, downward stock movements
    in the wake of disclosures of hacks or other
    data breaches (or quick rebounds from such
    price drops when they occur) with share-
    holders’ apathy over cybersecurity prob-
    lems. In a recent Harvard Business Review
    article (Why Data Breaches Don’t Hurt Stock
    Prices, March 31, 2015), cybersecurity strate-
    gist Elena Kvochko and New York Times
    Chief Technology Offi cer Rajiv Pant dismiss
    this easy explanation. They argue that muted
    stock price reactions to data breaches refl ect
    the absence of timely information and qual-
    ity tools to price cyber risk: “Shareholders
    still don’t have good metrics, tools, and
    approaches to measure the impact of cyber
    attacks on businesses and translate that into
    a dollar value . . . The long and mid-term
    effects of lost intellectual property, disclo-
    sure of sensitive data, and loss of customer
    confi dence may result in loss of market
    share, but these effects are diffi cult to quan-
    tify.” Faced with this information vacuum,
    Kvochko and Pant note that “shareholders
    only react to breach news when it has direct
    impact on business operations, such as
    litigation charges (for example, in the case of
    Target) or results in immediate changes to a
    company’s expected profi tability.”
    Indeed, stock prices may not tell the
    whole story. Contrary to the conventional
    wisdom, recent survey data show investors
    understand the long-term risks stemming
    from hacks and they may actually shy
    away from investing in companies with
    multiple breaches. A recent survey—
    conducted by FTI Consulting on behalf of
    consulting giant KPMG LLP—of more than
    130 global institutional investors with an
    estimated $3 trillion under management
    found that cyber events may affect inves-
    tors’ confi dence in the board and demand
    for the affected companies’ shares.
    Investors opined that less than half of
    boards of the companies that they currently
    invest in have adequate skills to manage
    rising cyberthreats. They also believe that
    43 percent of board members have “unac-
    ceptable skills and knowledge to manage
    innovation and risk in the digital world.”
    breach.” Accordingly, ISS recommended
    votes against the members of those two
    board oversight panels. ISS acknowledged
    the board’s actions in the wake of the
    breach but found that the committees
    “failed to appropriately implement a risk
    assessment structure that could have better
    prepared the company for a data breach.”
    After investors’ concerns emerged before
    the meeting, the company engaged in a solic-
    itation effort to defend the board’s response
    to the breach. When the votes were tallied,
    none of the members of Target’s audit and
    governance panels received support from
    more than 81 percent of the votes cast. Target
    lead director James A. Johnson received the
    lowest support—62.9 percent of the votes
    cast. According to ISS’ Voting Analytics data-
    base of institutional investors’ voting records,
    governance professionals at funds connected
    to nearly half of Target’s top 10 largest inves-
    tors cast votes against one or more of the
    company’s directors.
    In the direct wake of the 2014 data
    breach issues and the dearth of proxy-
    related disclosure on those matters, SEC
    Commissioner Luis A. Aguilar fi red a shot
    across the bow of boards that lack disclo-
    sure. In a June 10, 2014, speech (“Boards of
    Directors, Corporate Governance and Cyber
    Risks: Sharpening the Focus”) delivered at
    a New York Stock Exchange (NYSE)–hosted
    cybersecurity conference, Aguilar said,
    “[B]oard oversight of cyber-risk manage-
    ment is critical to ensuring that companies
    are taking adequate steps to prevent, and
    prepare for, the harms that can result from
    such attacks. There is no substitution for
    proper preparation, deliberation, and
    engagement on cybersecurity issues.”
    Noting the wide damage crater caused by
    cyber events, Aguilar noted that the board-
    room plan should include “whether, and
    how, the cyber-attack will need to be dis-
    closed internally and externally (both to
    customers and to investors).”
    ■ Shareholders care about breaches
    Are shareholders apathetic about data
    breaches? Some media reports equate the

    29 ■
    ■ ISS policy respondents indicate a disclosure
    What level of detail do investors expect to
    see about these issues in disclosures regard-
    ing cyberthreats? In 2014, as part of ISS’
    2015 policy-formulation process, we asked
    institutional investors to weigh the factors
    they assess in reviewing boardroom over-
    sight of risk, including cyberthreats. A
    majority of the shareholder respondents
    indicated that the following are all either
    “very” or “somewhat” important to their
    voting decisions on individual directors
    � role of the company’s relevant risk
    oversight committee(s)
    � the board’s risk oversight policies and
    � directors’ oversight actions prior to and
    subsequent to the incident(s)
    � changes in senior management.
    Notably, shareholders do not appear to be
    looking for scapegoats. Disclosures about
    boardroom oversight action subsequent to
    an incident drew more demand than fi r-
    ings. An eye-popping 85 percent of the
    respondents cited such crisis management
    and “lessons learned” disclosures as “very
    important.” In contrast, only 46 percent of
    the shareholders indicated that changes in
    senior management are “very important” to
    them when it came time to vote on director
    ■ 2015 disclosures provide few insights
    Despite prodding by the SEC and numerous
    indications from investors, many boards
    continue to lack disclosure of cyberthreats
    in their fl agship documents—the proxy
    statement and the 10-K. Only a handful of
    the companies that drew widespread cover-
    age of their data breaches during 2014 men-
    tion the events in their proxy statements,
    and many cite materiality concerns to avoid
    discussing the data breaches in detail in
    their 10-Ks.
    In sharp contrast to the absence of infor-
    mation in Target’s 2014 proxy statement,
    More ominously for boards, four of fi ve
    investor respondents (79 percent) suggest-
    ed that they may blacklist stocks of hacked
    fi rms. As for a remedy, 86 percent of the
    surveyed investors told KPMG and FTI
    that they want to see increases in the time
    boards spend on addressing cyber risk.
    ■ Investors raise the bar for disclosure
    Insights on the gap between investors’
    expectations and boardroom practices were
    gleaned from PwC’s juxtaposition of two
    surveys that it conducted in the summer of
    2014, one of 863 directors in PwC’s 2014
    Annual Corporate Directors Survey, and the
    other of institutional investors with more
    than $11 trillion in aggregate assets under
    management in PwC’s 2014 Investor Survey.
    � Nearly three quarters (74 percent) of
    investors told PwC that they believe
    it is important for directors to discuss
    their company’s crisis response plan in
    the event of a major security breach.
    Only about half of directors (52 percent)
    reported having such discussions.
    � Roughly three out of four (74 percent)
    investors urged boards to boost cyber
    risk disclosures in response to the SEC’s
    guidance, but only 38 percent of directors
    reported discussing the topic.
    � Similarly, 68 percent of investors believe it is
    important for directors to discuss engaging
    an outside cybersecurity expert, but only
    42 percent of directors had done so.
    � Fifty-fi ve percent of investors said it
    was important for boards to consider
    designating a chief information security
    offi cer, if their companies did not
    have one in place. Only half as many
    directors (26 percent) reported that such
    a personnel move had been discussed in
    the boardroom.
    � Finally, 45 percent of investors believe
    it is important for directors to discuss
    the National Institute of Standards
    and Technology (NIST)/ Department
    of Homeland Security cybersecurity
    framework, but only 21 percent of directors
    reported their boards had done so.

    ■ 30
    and management process to the full
    Next, the Home Depot disclosure provides
    some color on the board’s risk oversight
    policies and procedures:
    For a number of years, IT and data secu-
    rity risks have been included in the risks
    reviewed on a quarterly basis by the ERC
    and the Audit Committee and in the
    annual report to the Board on risk assess-
    ment and management. In the last few
    years, the Audit Committee and/or the
    full Board have also regularly received
    detailed reports on IT and data security
    matters from senior members of our IT
    and internal audit departments. These
    reports were given at every quarterly
    Audit Committee meeting in fi scal 2014,
    including an additional half-day Audit
    Committee session devoted exclusively to
    these matters that was held prior to the
    discovery of the Data Breach. The topics
    covered by these reports included risk
    management strategies, consumer data
    security, the Company’s ongoing risk mit-
    igation activities, and cyber security strat-
    egy and governance structure. . . .
    To further support our IT and data
    security efforts, in 2013 the Company
    enhanced and expanded the Incident
    Response Team (“IRT”) formed several
    years earlier. The IRT is charged with
    developing action plans for and respond-
    ing rapidly to data security situations. . . .
    The IRT provided daily updates to the
    Company’s senior leadership team, who
    in turn periodically apprised the Lead
    Director, the Audit Committee and the
    full Board, as necessary.
    The Home Depot board also highlights its
    cyber-risk oversight actions prior to the
    Under the Board’s and the Audit
    Committee’s leadership and oversight,
    the Company had taken signifi cant steps
    however, another big box retailer provided
    investors with a window into the board’s
    role in cyber risk oversight in its 2015
    proxy materials. Home Depot addressed its
    2014 data breach, which affected up to
    56 million customers who shopped at the
    company’s stores between April 2014 and
    September 2014, with a concise (roughly
    1000-word) explanation of the steps taken
    by the board before and after the company’s
    The proxy statement disclosures include a
    brief summary of the depth and duration of
    the breach, an explanation of the board’s
    delegation of oversight responsibility to the
    audit committee, and an outline of remedial
    steps that the board took in response to the
    Notably, Home Depot’s disclosures gen-
    erally align with all the pillars identifi ed by
    investors in their responses to the ISS policy
    First, Home Depot’s board details the
    delegation of risk oversight to the audit com-
    mittee and describes the directors’ relation-
    ship with the company’s internal audit and
    compliance team:
    The Audit Committee . . . has primary
    responsibility for overseeing risks related
    to information technology and data pri-
    vacy and security. . . . The Audit
    Committee stays apprised of signifi cant
    actual and potential risks faced by the
    Company in part through review of quar-
    terly reports from our Enterprise Risk
    Council (the “ERC”). The quarterly ERC
    reports not only identify the risks faced
    by the Company, but also identify wheth-
    er primary oversight of each risk resides
    with a particular Board committee or the
    full Board . . . The chair of the ERC, who
    is also our Vice President of Internal
    Audit and Corporate Compliance, reports
    the ERC’s risk analyses to senior manage-
    ment regularly and attends each Audit
    Committee meeting. The chair of the ERC
    also provides a detailed annual report
    regarding the Company’s risk assessment

    31 ■
    Privacy Governance Committee,
    to provide further enterprise-wide
    oversight and governance over data
    security. This committee reports
    quarterly to the Audit Committee.
    � We are in the process of further
    augmenting our IT security team,
    including by adding an offi cer level
    Chief Information Security Offi cer and
    hiring additional associates focused on
    IT and data security.
    � We are reviewing and enhancing all
    of our training relating to privacy and
    data security, and we intend to provide
    additional annual data security
    training for all of our associates before
    the end of Fiscal 2015.
    � Our Board, the Audit Committee, and
    a special committee of the Board have
    received regular updates regarding the
    Data Breach. In addition to the IT
    and data security initiatives described
    above, the Board, supported by
    the work of its Audit and Finance
    Committees, has reviewed and
    authorized the expenditures associated
    with a series of capital intensive
    projects designed to further harden
    our IT security environment against
    evolving data security threats.
    ■ Boards would benefi t from engagement
    and disclosure
    Although the good news is that cybersecu-
    rity has seemingly come to the forefront for
    many directors, the bad news is that share-
    holders are not yet getting the transparency
    they need to assess the quality of boardroom
    oversight. The signifi cant “no” vote against
    the Target board at its 2014 annual meeting,
    coupled with survey data, show that share-
    holders are far from apathetic when it comes
    to assessing cyber risk oversight.
    ■ Target’s lessons learned
    In the wake of its challenging 2014 annual
    meeting, Target hosted calls or held meet-
    ings with shareholders representing approx-
    imately 41% of shares voted. The majority of
    to address evolving privacy and cyber
    security risks before we became aware of
    the Data Breach:
    � Prior to the Data Breach and in part
    in reaction to breaches experienced
    by other companies, we augmented
    our existing security activities by
    launching a multi-work stream effort
    to review and further harden our
    IT and data security processes and
    systems. This effort included working
    extensively with third-party experts
    and security fi rms and has been
    subsequently modifi ed and enhanced
    based on our learnings from the Data
    Breach experience.
    � In January 2014, as part of the efforts
    described above, we began a major
    payment security project to provide
    enhanced encryption of payment card
    data at the point of sale in all of our U.S.
    stores. . . . Upon discovery of the Data
    Breach, we accelerated completion
    of the project to September 2014,
    offering signifi cant new protection for
    customers. The new security protection
    takes raw payment card information
    and scrambles it to make it unreadable
    to unauthorized users. . . .
    � We are rolling out EMV “chip-and-PIN”
    technology in our U.S. stores, which
    adds extra layers of payment card
    protection for customers who use EMV
    chip-and-PIN enabled cards. . . .
    Finally, the Home Depot board discusses the
    boardroom oversight actions taken subse-
    quent to the incident including changes in
    senior management:
    Following discovery of the Data Breach,
    in addition to continuing the efforts
    described above, the Company and the
    Board took a number of additional
    � We formed an internal executive
    committee, the Data Security and

    ■ 32 SecurityRoundtable.org
    these conversations were led by Director
    Anne Mulcahy. In light of this feedback and
    with the assistance of a third-party strategy
    and risk management and regulatory com-
    pliance consultant, the board “embarked on
    a comprehensive review” of risk oversight
    at the management, board, and committee
    levels. As a result of this comprehensive
    review, in January 2015, the Target board
    “clarifi ed and enhanced” its practices to pro-
    vide more transparency about how risk
    oversight is exercised at the board and com-
    mittee levels. As part of this revamp, the
    board reallocated and clarifi ed risk oversight
    responsibilities among the committees, most
    notably by elevating the risk oversight role
    of the corporate risk & responsibility com-
    mittee (formerly known as the corporate
    responsibility committee).
    Examples such as Home Depot and the
    Target board’s 2015 disclosures provide
    more transparency on risk oversight and are
    a good framework for other boards to follow.
    Boards would be wise to raise their games
    by disclosing more details of their board
    oversight efforts and engaging with inves-
    tors when cyber incidents occur, or they may
    run the risk of a loss of investor confi dence.

    33 ■
    Elena Kvochko, Author, Towards the Quantifi cation
    of Cyber Threats report; and Danil Kerimi, Director,
    Center for Global Industries, World Economic Forum
    Toward cyber risks measurement
    As most companies in the U.S. already use some form of
    cloud-based solutions, the digital footprint of enterprises
    is growing, and so are the risks. Technological solutions
    have always focused on convenience, transparency, and
    an ever-increasing ability to share information and col-
    laborate, while built-in security hasn’t been a priority
    until recently. Now enterprises are shifting away from
    this model. Growing privacy and security concerns affect
    customer perception. According to Deloitte, 80% of cus-
    tomers are aware of recent cyber breaches, and 50% of
    them are ready to switch brands if they feel their informa-
    tion may be compromised. Experian reported that now
    cyber breaches are as devastating for the reputation of
    organizations as environmental disasters and poor cus-
    tomer service.
    Most executives recognize that cyber risks are no longer
    on the horizon but are an imminent cost of doing business.
    Companies are actively looking for effective mitigation
    actions. Recent surveys show that cybersecurity is already
    part of the agenda of 80% of corporate boards (up from
    around 30% 4 years ago). Companies are adjusting their
    enterprise risk management frameworks and including
    cyber risks and accompanying controls as part of the nec-
    essary risk management actions. Traditional controls intro-
    duced for in-house infrastructure no longer work, as more
    and more operations are performed in the cloud. Just as in
    any healthy ecosystem, these environments present great
    opportunities for stakeholders to interact with each other
    and with the content, but they also carry inherent risks.
    Risk mitigation approaches and technologies lag
    behind the sophistication of the threat. In fact, our ear-
    lier research with the World Economic Forum and
    McKinsey showed that 90% of executives feel they only

    ■ 34
    fi nancial services industry and describes the
    risk appetite and potential losses for a port-
    folio that an institution will incur over a
    defi ned period of time and is expressed in a
    probability to insure the loss.
    In the cyber value-at-risk, we introduced
    three major pillars, according to which com-
    panies can model their risk exposure: exist-
    ing vulnerabilities, value of the assets, and
    profi le of an attacker. A complete cyber value-
    at-risk allows us to answer the question:
    “Given a successful cyberattack, a company
    will lose not more than X amount of money
    over period of time with 95% accuracy.” The
    application of these models will depend on
    particular industries, companies, and avail-
    able data and should be built for an organi-
    zation. We discussed specifi c indicators that
    can potentially be used to populate the
    model. Mathematically, these components
    can be brought together and used to build a
    stochastic model. For example, vulnerabili-
    ties can be measured in the number of exist-
    ing unpatched vulnerabilities, not up-to-
    date software, number of successful compro-
    mises, or results of internal and external
    audits. They can be benchmarked against
    the maturity of existing controls and security
    of networks, applications, data, etc. The
    maturity of defending systems has to be
    benchmarked against the threat environ-
    ment, hence the profi le of an attacker com-
    ponent becomes important. In this model, it
    would be important to look into their moti-
    vations (e.g., fi nancial gain, destruction of
    assets, espionage), the tools they are using,
    and the innovative approaches. Because
    cyber breaches are criminal activity, nontech-
    nical factors, such as behavioral motivations,
    are to be considered. The component of the
    value of assets of many organizations is dif-
    fi cult to establish. This includes tangible
    assets, such as fi nancial fl ows, infrastructure,
    and products, and intangible assets, primarily
    data assets (customer and employee data,
    business strategies, intellectual property),
    brand, reputation, and trust of stakeholders.
    Although cost of business interruption can
    be qualifi ed easier, the impact on intangible
    assets is still subject to approximation. The
    have “nascent” and “developing” capabili-
    ties to combat cyberthreats. In this situa-
    tion when cyber breaches have become an
    inevitable reality of doing business, execu-
    tives ask themselves, “What does it mean
    for my business, how probable is it that a
    devastating breach will happen to us, and
    how much could it cost us?” Still, very few
    organizations have developed ways to
    assess their cyber risk exposure and to
    quantify them.
    In this chapter, we discuss the cyber
    value-at-risk framework introduced by the
    Partnering for Cyber Resilience initiative of
    the World Economic Forum and released at
    the Annual Summit in Davos in 2015. More
    than 50 organizations, including Wipro,
    Deloitte (project advisor), and Aon, have
    contributed to this effort. The framework
    laid the foundations for modeling cyber
    risks and encouraged organizations to take
    a quantitative approach toward assessing
    their cyber risks exposure, which could
    also help make appropriate investment
    We were delighted to see many spin-off
    projects and initiatives that were initiated as
    part of this work and hope they will contrib-
    ute to better risk management tools. Our
    research showed that the aggregate impact
    of cybercrime on the global economy can
    amount to $3 trillion in terms of slow down
    in digitization and growth and result in the
    slower adoption of innovation. Multiple
    other studies showed signifi cant negative
    impact of cyber breaches. CSIS established
    that the annual cost of economic espionage
    reaches $445 billion. Target’s breach cost the
    company more than $140 million, a large
    portion of which went to cover litigation
    costs. Interestingly, however, Aon research
    shows that more than 80% of breaches cost
    the companies less than $1 million.
    ■ Value-at-risk
    How can companies defi ne their risk expo-
    sure and the level of investments, as well as
    priority areas for these investments? To
    answer this question, we turned to the value-
    at-risk concept. The concept goes back to the

    35 ■
    breach probability distribution”); hacker
    model (mapping out motivations of adver-
    saries in relation to the organization); attack
    model (attack types and characteristics);
    asset and loss model (potential loss given a
    successful attack); security model (describ-
    ing organizations’ security posture), and
    company model (modeling organizations’
    attractiveness as a target). Cyberpoint’s
    Cy-var models looks at “time-dependent
    valuation of assets” while taking into
    account an organization’s security posture
    and includes variables such as the values of
    intellectual property assets, IT security con-
    trols in place to protect those assets and
    other related risks, infrastructure risks, a
    time horizon, and a probability of an attack.
    At the same time, all stakeholders came to
    agreement that quantifying risks is a chal-
    lenging task. In a workshop organized togeth-
    er with Deloitte, the World Economic Forum
    Partnering for Cyber Resilience members
    defi ned the attributes of an ideal model of
    cyber risks quantifi cation: applicability across
    various industries; ease of interpretation by
    experts and executives alike; association with
    real data and measurable security events;
    scalability across organizations or even
    across the industry; at the same, not relying
    on data that are currently absent within most
    Although the cyber value-at-risk frame-
    work doesn’t specify how to calculate the
    fi nal number, it presents core components
    and gives examples of how these compo-
    nents can be quantifi ed. This complete
    model, however, could be characterized by
    general applicability across various indus-
    tries. For it to be effective, it has to be vali-
    dated by the industry stakeholders. Cyber
    value-at-risk aimed to bring together “tech-
    nical, behavioral and economic factors from
    both internal (enterprise) and external (sys-
    temic) perspectives.” As a next step, it would
    be important to understand dependencies
    between various components in the frame-
    work and ways to incorporate these models
    into existing enterprise risk frameworks. It is
    important to remember that organizations
    should be wary of new emerging risks and
    impact of losing these assets can be unno-
    ticed in the short term but may hurt long-
    term profi tability and market leadership of
    an organization.
    The cyber value-at-risk model has a num-
    ber of limitations, including availability of
    data, diffi culties in calculating probabilities,
    and applicability across various industries,
    but it presents a fi rst step and incentives for
    organizations to move toward quantitative
    risk management. By publishing the model,
    we aimed to encourage more industry stake-
    holders to develop comprehensive quantita-
    tive approaches to cyber risks measurement
    and management. For further examples and
    information, please refer to Wipro’s use of
    cyber value-at-risk for its clients, Deloitte’s
    continuous development cyber value-at-
    risk, Rod Becktom’s cybervar model, and
    CXOWare’s Cyber Risk application model.
    The Institute of Risk Management (IRM)
    announced that it will release a cyber risk
    quantifi cation framework to help companies
    assess their cyber risks exposure. The call to
    action from the Partnering for Cyber
    Resilience effort was that to develop a uni-
    fi ed framework that can be used by indus-
    tries to reduce uncertainty around cyber risks
    implications on businesses in the absence of
    dominant models and frameworks. Aon has
    defi ned important ways in which quantifi ca-
    tion of cyberthreats can lead to better busi-
    ness decisions. First, as the conversation has
    shifted from technology and information
    security departments to boardrooms, the
    question of costs and risks becomes ever
    more prevalent. It helps show the scale and
    the impact that cyberthreats can have on
    fi nancial targets and overall competitiveness
    of organizations; helps defi ne and narrow
    down the investments required to mitigate
    those threats; makes it easy to paint compel-
    ling pictures, build scenarios, and make busi-
    ness cases; and helps make a determination
    whether any parts of the risk can be trans-
    ferred. Deloitte has put together a compre-
    hensive model for modular approach to
    cyber risk measurement introducing the
    following components: probability model
    (“attractiveness and resilience determine

    ■ 36 SecurityRoundtable.org
    consider cyber risks in addition to broader
    technology or operational risks.
    Overall, the goal was to help raise aware-
    ness of cyber risks as a standing and regular
    cost of doing business and help fi nd a way
    to measure and mitigate those risks. This
    can be done through standardization of
    various risk factors and indicators into a
    normal distribution.
    The components that we looked at in this
    chapter help bring together various risk fac-
    tors via “measures of risk likelihood and
    impact.” To achieve a more granular level of
    sophistication, quantifi cation and standardi-
    zation metrics must mature. Some of the
    main cited obstacles are availability of data
    to build models, lack of standardized met-
    rics and tools, lack of visibility within enter-
    prise, and inability to collect data and
    dubbed models internally. The variables and
    components of the model can be brought
    together into a stochastic model, which will
    show the maximum loss given a certain
    probability over a given period of time. It
    was discussed that close to real-time sharing
    of data between organizations could address
    some of the main challenges of datasets’
    availability and provide enough data to
    build models.
    Although a silver bullet to achieve cyber
    resilience doesn’t exist, organizations con-
    sider comprehensive frameworks for quanti-
    fying and mitigating risk factors, including
    cyber risks. Following this model, compa-
    nies will assess their assets and existing
    controls, quantify vulnerabilities, and know
    their attackers and threats. The most signifi –
    cant challenge so far is the absence of input
    variables, quality of existing datasets and,
    following these, no standardized measures
    to assess cyber risk exposures. Building such
    a model would require efforts in data classi-
    fi cation, encourage a strong organization
    leadership, process improvement and col-
    laboration, as well improve decision making
    across various business areas. For example,
    the car industry, mortgage industry, or most
    insurances have agreed on a standardized
    metrics and data collection; the same should
    happen for cyber risks measurement.
    Understanding dependencies between these
    variables and what they mean for various
    industries should be a subject for cross-
    industry collaboration so that input varia-
    bles are unifi ed. The main benefi ts of this
    approach are seen in the ability to support
    decision-making processes, quantify the
    damage at a more granular level, and defi ne
    appropriate investments. This would help
    stimulate the development of risk transfer
    markets and emergence of secondary risk
    transfer products to mitigate and distribute
    the risks. For organizations, the focus will
    shift from an attacker to assets and how to
    secure them in such a distributed digital
    ecosystem, where everything is vulnerable.
    As more robust quantitative cyber risks
    models emerge and the industries are mov-
    ing toward a standardized recognizable
    model, the confi dence of digital ecosystems
    stakeholders and their ability to make effec-
    tive decisions will also rise.
    Based on Towards the Quantifi cation of Cyber
    Threats report.

    37 ■
    Internet Security Alliance – Larry Clinton, CEO
    The evolving cyberthreat and an
    architecture for addressing it
    According to the Pentagon’s 2015 Annual Report, “The
    military’s computer networks can be compromised by
    low to meddling skilled attacks. Military systems do not
    have a suffi ciently robust security posture to repel sus-
    tained attacks. The development of advanced cyber tech-
    niques makes it likely that a determined adversary can
    acquire a foothold in most DOD systems and be in a posi-
    tion to degrade DOD missions when and if they choose.”
    If the cyber systems of the world’s most sophisticated
    and best funded armed forces can be compromised by
    “low to meddling skilled attacks,” how safe can we expect
    discount retailers, movie studios, or any other corporate
    or public systems to be?
    That is not even the bad news.
    ■ Things are getting much worse: Three reasons
    1. The system is getting weaker.
    The bad news is that the cyber systems that have become
    the underpinning of virtually all of aspects of life in the
    digital age are becoming increasing less secure. There are
    multiple reasons for this distressing trend. First, the sys-
    tem is getting technologically weaker. Virtually no one
    writes code or develops “apps” from scratch. We are still
    relying on many of the core protocols designed in the
    1970s and 80s. These protocols were designed to be
    “open,” not secure. Now the attacking community is
    going back through these core elements of the Internet
    and discovering still new vulnerabilities. So as new func-
    tionalities come online, their own vulnerabilities are sim-
    ply added to the existing and expanding vulnerabilities
    they are built upon. The reality is that the fabric of the
    Internet is riddled with holes, and as we continue to
    stretch that fabric, it is becoming increasingly less secure.
    Additionally, vulnerabilities in many open source
    codes, widely in use for years, are becoming increasingly
    apparent and being exploited by modern “zero-day”

    ■ 38
    new access points to large amounts of data
    resulting from the explosion in the number of
    mobile devices vastly increases the challeng-
    es to securing cyberspace.
    However, the rise in use of mobile devices
    pales in comparison to the coming Internet
    of Things (IoT). The IoT, embedded comput-
    ing devices with Internet connections,
    embraces a wide range of devices, including
    home security systems, cars, smart TVs, and
    security cameras. Like the bring-your-own-
    device (BYOD) phenomenon, the coming of
    the IoT further undermines the overall secu-
    rity of the system by dramatically increasing
    the vectors, making every new employee’s
    internet-connected device, upon upgrade, a
    potential threat vector.
    2. The bad guys are getting better.
    Just after the turn of the century, the NSA
    coined a new term, the “APT,” which stood
    for the advanced persistent threat. The APT
    referred to ultrasophisticated cyberattack
    methods being practiced by advanced
    nation-state actors. These attacks were char-
    acterized by their targeted nature, often
    focused on specifi c people instead of
    networks, their continued and evolving
    nature, and their clever social engineering
    tactics. These were not “hackers” and “script
    kiddies.” These were pros for whom cyberat-
    tacks were their day job.
    They were also characterized by their
    ability to compromise virtually any target
    they selected. APTs routinely compromised
    all anti-virus intrusion detection and best
    practices. They made perimeter defense
    Now these same attack methods, once
    practiced only by sophisticated nation-states,
    are widely in use by common criminals.
    Whereas a few years ago these attacks were
    confi ned to nations and the Defense Industrial
    Complex, they now permeate virtually all
    economic sectors.
    The APT now stands for the average persis-
    tent threat.
    The increasing professionalism and
    sophistication of the attack community is
    fueled by the enormous profi ts cyberattacks
    attacks, and the patching system we have
    relied on to remediate the system can’t keep
    pace. Huge vulnerabilities such as
    Heartbleed and Shellshock have existed
    within open source code for years only to
    be revealed recently when scrutinized by
    fresh eyes.
    Within hours of the Heartbleed vulnerabil-
    ity becoming public in 2014, there was a surge
    of attackers stepping up to exploit it. The
    attackers exploiting the vulnerability were
    much faster than the vendors could patch it.
    This is a growing trend. In 2014 it took
    204 days, 22 days, and 52 days to patch the top
    three zero-day vulnerabilities. In 2013 it took
    only four days for patches to arrive. Even
    more disturbing is that the top fi ve zero-day
    attacks in 2014 were actively used for a com-
    bined 295 days before patches were available.
    Moreover, because almost no one builds
    from scratch anymore, the rate of adoption
    for open source programming as a core com-
    ponent of new software greatly exceeds the
    vetting process for many applications. As
    the code gets altered into new apps, the risks
    continue to multiply. In 2015 Symantec esti-
    mates there are now more than a million
    malicious apps in existence. In fast-moving,
    early stage industry, developers have a
    strong incentive to offer new functionality
    and features, but data protection and priva-
    cy policies tend to be a lesser priority.
    The risks created by the core of the system
    becoming intrinsically weaker is being fur-
    ther magnifi ed by the explosion of access
    points to the system, many with little or no
    security built into their development. Some
    analysts are already asserting that there are
    more mobile devices than there are people
    on the earth. If that is not yet literally true, it
    will shortly be.
    It is now common for individuals to have
    multiple mobile devices and use them inter-
    changeably for work and leisure often with-
    out substantial security settings. Although
    this certainly poses a risk of data being stolen
    directly from smartphones, the greater con-
    cern is that mobile devices are increasingly
    conduits to the cloud, which holds increasing
    amounts of valuable data. The number of

    39 ■
    corporate growth, innovation, and profi ta-
    bility also undermine cybersecurity.
    Technologies such as VOIP or cloud com-
    puting bring tremendous cost effi ciencies but
    dramatically complicate security. Effi cient,
    even necessary, business practices such as the
    use of long supply chains and BYOD are also
    economically attractive but extremely prob-
    lematic from a security perspective.
    Corporate boards are faced with the
    conundrum of needing to use technology to
    grow and maintain their enterprises without
    risking the corporate crown jewels or hard-
    won public faith in the bargain. In addition,
    the fears and potential losses from cyber
    events tend to be speculative and future ori-
    ented, whereas most corporate leaders (as
    well as the citizen investors who have their
    401(k)s tied up in the stock market) tend to
    make their decisions with an eye toward the
    next quarter or two.
    The national security equation
    Finally, from the national security perspec-
    tive, Internet economics are also complicated.
    This economic puzzle is important to solve
    because multiple independent studies indi-
    cate that the number one problem with
    securing critical infrastructure from cyberat-
    tack is economic. As the 2014 National
    Infrastructure Protection Plan makes clear,
    the public and private sectors have aligned,
    but not identical, perspective on cybersecu-
    rity based on their differing, and legally
    mandated, roles and obligations.
    The private sector is legally required to
    invest to maximize shareholder value.
    Although shareholder value is enhanced to
    some degree by security investment, gener-
    ally security is considered a cost center in
    the corporate world. As with most corporate
    investments, security is a mater of cost ben-
    efi t for the private sector. What this trans-
    lates to is that the private sector may legiti-
    mately judge that there is a level of security
    that goes beyond their commercial interest
    and hence their legally mandated obligation
    to their shareholders. An example is the
    common case of pilfering in many retail
    stores, wherein the owner may be aware
    are generating—routinely estimated in the
    hundreds of billions of dollars and growing.
    It is now apparent that attackers are not
    going to rely on reusing the same old meth-
    ods. Instead, like any smart, successful, and
    growing enterprise, they are investing in
    R&D and personnel acquisition. They are
    seeking to grow their business, including
    fi nding new vulnerabilities in older infra-
    structures and thus widening the surface
    available for attack.
    3. The economics of cybersecurity favor the attackers.
    Cyberattacks are relatively cheap and easy to
    access. Virtually anyone can do an Internet
    search and fi nd vendors to purchase attack
    methods for a comparatively small invest-
    ment. The attacker ’s business plans are
    expansive with extremely generous profi t
    margins. Multiple reports suggest hundreds
    of billions of dollars in criminal cyber reve-
    nue each year. They can use virtually identi-
    cal attack methods against multiple targets.
    The vast interconnection of the system
    allows attackers to exploit weaker links who
    have permitted access to more attractive
    targets, and their “market” is accessible to
    them worldwide.
    Meanwhile, cyber defense tends to be
    almost inherently a generation behind the
    attackers, as anticipating the method and
    point of attack is extremely diffi cult. From a
    business investment perspective it is hard
    to show return on investment (ROI) to
    attacks that are prevented, making ade-
    quate funding a challenge. Moreover, law
    enforcement is almost nonexistent—we
    successfully prosecute less than 2% of cyber
    criminals, so there is little to discourage the
    attackers from being bold. Furthermore, as
    we have already illustrated, notwithstand-
    ing consumers tend to prefer utility and
    function over security, which provides a
    disincentive for investors to enhance devic-
    es with added security, which often slows
    or limits utility.
    This little-understood imbalance of the
    economic incentives is exacerbated by the
    fact that many of the technologies and busi-
    ness practices that have recently driven

    ■ 40
    the Department of Homeland Security
    (DHS) be given authority to set minimum
    standards for cybersecurity over the private
    sector. Subsequently two bills were offered
    in the Senate, one by the Chairman of the
    Senate Commerce Committee, Senator Jay
    Rockefeller (D-WV) with Senator Olympia
    Snow (R-ME) and separately by Senate
    Homeland Security Chairman Joe Lieberman
    (D-CN) and Senator Susan Collins (R-ME).
    Both bills largely followed the Obama para-
    digm of DHS setting regulatory mandates
    for the private sector with substantial penal-
    ties available for noncompliance.
    Despite strong backing from the Senate
    Majority Leader Harry Reid and much of the
    military establishment, the bills could not
    get out of committee. Even though Reid
    exercised his parliamentary power to control
    the Senate agenda, there was not enough
    support to even get the bills to the fl oor for
    consideration, let alone vote on it.
    There was certainly industry opposition to
    these bills, but what killed them was the
    bipartisan realization that the traditional reg-
    ulatory model was an ill fi t for cybersecurity.
    Government agencies’ ability to craft regula-
    tions that could keep up with cyberthreats
    was highly questionable. Early efforts to
    apply traditional regulation to cyberspace,
    such as HIPAA in the health-care industry,
    had not generated success. Indeed health
    care is widely considered one of the least
    cyber secure of all critical infrastructures.
    However, with cyber systems becoming
    increasingly ubiquitous and insecure threat-
    ening economic development and national
    security, there was obvious need for an
    affi rmative and effective approach. The non-
    regulatory, collaborative model selected
    largely followed the “social contract” para-
    digm previously promoted by industry gov-
    ernment analysts.
    The social contract approach
    In 2013 President Obama reversed course
    180 degrees. In an executive order on
    cybersecurity the president abandoned the
    government-centric regulatory approach
    that 5% of his inventory is “walking out the
    back door” every month. The reason he
    doesn’t hire more guards or put up more
    cameras or other security measures is that
    the cost benefi t presumably suggests it will
    cost him 6% to do so, and hence the better
    business decision is to tolerate this level of
    Government doesn’t have that luxury.
    The government is charged with providing
    for the common defense. Surely, they have
    economic considerations with respect to
    security; however, they are also mandated to
    a higher level of security largely irrespective
    of cost to provide for national security, con-
    sumer protection, privacy, and other non-
    economic considerations.
    In the Internet space, government and
    industry are using the same networks. This
    means the two users of the systems have dif-
    fering security requirements—both legiti-
    mate and backed by lawful authority.
    Moreover, requiring greater cybersecurity
    spending, beyond commercial interest as
    suggested by some, could run afoul of other
    government interests such as promoting
    innovation, competitiveness, and job growth
    in a world economy (presumably not follow-
    ing U.S.-based requirements).
    Finally, the presumption that requiring
    increased security spending by commercial
    entities up to the government risk tolerance
    is in the corporate self-interest is complicat-
    ed by the data that have emerged after
    highly publicized cyber breaches. One year
    after the Target breach, which would pre-
    sumably damage the company’s image prof-
    itability and reputation, Target’s stock price
    was up 22%, suggesting such predictions
    were incorrect. Similarly, 6 months after the
    high-profi le cyberattacks on Sony (the sec-
    ond high-profi le cyberattack for Sony in a
    few years), Sony’s stock price was up 26%.
    ■ Some good news: Enlightened policy working
    in partnership
    Traditional regulatory efforts fail
    In 2012 President Obama offered a legisla-
    tive proposal to Congress suggesting that

    41 ■
    telephone service at affordable rates, govern-
    ment would guarantee the investment pri-
    vate industry would make in building and
    providing the service. This agreement
    ensured enough funds to build, maintain,
    and upgrade the system plus make a reason-
    able rate of return on the investment. Thus
    were born the privately owned public utili-
    ties and the rate of return regulation system.
    The result was that the U.S. quickly built
    out the electric and communications systems
    for the expanding nation, which were gener-
    ally considered the best in the world. Some
    have argued this decision was foundational
    to the U.S.’s rapid expansion and develop-
    ment, which turned it from a relatively
    minor power in the early part of the twenti-
    eth century to the world’s dominant super-
    power less than a generation later.
    Although the Obama social contract
    approach to cybersecurity has different
    terms than that of previous infrastructure
    development, the paradigm is similar.
    Similar modifi cations of the incentive model
    are also in use in other areas of the economy,
    such as environment, agriculture, and trans-
    portation, but this is the fi rst application in
    the cybersecurity fi eld.
    Although it is in its formative stages, at
    this point early indications for the social con-
    tract approach are positive. The cybersecuri-
    ty framework development process conduct-
    ed by the National Institute of Standards and
    Technology (NIST) has been completed and
    received virtually unanimous praise. In an
    exceedingly rare development, the Obama
    approach to cybersecurity closely tracks with
    that outlined by the House Republican Task
    Force on Cyber Security. Bipartisan bills
    using liability incentives, instead of govern-
    ment mandates, are moving through
    Congress, and additional incentive programs
    are under development.
    ■ Conclusion
    The cybersecurity problem is extremely
    serious and becoming more so. An inher-
    ently insecure system is becoming weaker.
    The attack community is becoming more
    embodied in his previous legislative pro-
    posals and the Senate bills. Instead, he sug-
    gested a public private partnership—a
    social contract—that would address the
    technical as well as economic issues that are
    precluding the development of a cyber sys-
    tem that can become sustainably secure. In
    this new partnership, industry and govern-
    ment would work together to identify a
    framework of standards and practices wor-
    thy of industry based on cyber risk assess-
    ments conducted by the companies. The
    president ordered that the framework be
    voluntary, prioritized, and cost effective. If
    there were an economic gap between what
    ought to be done and what would be
    accomplished through normal market
    mechanisms, a set of market incentives
    would be developed to promote voluntary
    adoption of the framework. Although
    industry that operates under regulatory
    systems would remain subject to regulatory
    authority, no new regulatory authority for
    cybersecurity would be part of the system.
    Instead, a partnership system based on vol-
    untary use of consensus standards and
    practices and reinforced through market
    incentives would be built.
    The cyber social contract model has sub-
    stantial precedent in the history of infra-
    structure development in the United States.
    In the early twentieth century the innovative
    technologies were telephony and electricity
    transport. Initially the private companies
    that provided these technologies, because of
    natural economies, served primarily high-
    density and affl uent markets. Policy makers
    of the era quickly realized that there was a
    broader social good that would be served by
    having universal service of these services
    but also realized that building out that infra-
    structure would be costly and uneconomic
    either for industry or government.
    Instead of government taking over the
    process or mandating that industry make
    uneconomic investment, the policy makers
    designed a modern social contract with
    industry. If industry would build out the
    networks and provide universal electric and

    ■ 42 SecurityRoundtable.org
    sophisticated and enjoys massive economic
    incentives over the defender community.
    Traditional government methods to fi ght
    criminal activity have not matured to
    address the threat and may be inappropri-
    ate to meet the dynamic nature of this
    uniquely twenty-fi rst century problem.
    Fortunately, at least the U.S. government
    seems to have developed a consensus strat-
    egy to better leverage public and private
    resources to combat cyberthreats without
    excessively compromising other critical
    social needs. Although there are some ini-
    tial signs of progress, the road to creating a
    sustainably secure cyber system will be
    long and diffi cult.

    43 ■
    Former CIO of the U.S. Department
    of Energy – Robert F. Brese
    Effective cyber risk management:
    An integrated approach
    In its 2015 Data Breach Report, Verizon found that in 60%
    of the nearly 80,000 security incidents reviewed, including
    more than 2,000 confi rmed data breaches, cyber attackers
    were able to compromise an organization within minutes.
    Alarmingly, only about one third of the compromises
    were discovered within days of their occurrence. This is
    not good news for C-suites and boardrooms. Data breach-
    es, compromises in which data loss is unknown, denial of
    service attacks, destructive malware, and other types of
    cybersecurity incidents can lead to lost revenue, reputa-
    tion damage, and even lawsuits, as well as short- and
    long-term liabilities affecting a company’s future.
    Although “getting hacked” may seem, or even be, inevita-
    ble, the good news is that by taking an integrated
    approach to risk management, cybersecurity risk can be
    effectively managed.
    But who is responsible for this integrated approach,
    and what does it include? Although often the case, man-
    aging cybersecurity risk should not be left solely to the
    chief information offi cer (CIO) and chief information
    security offi cer (CISO). Even though these professionals
    are capable, only an integrated information (i.e., data),
    information technology, and business approach will ena-
    ble a company to effectively manage cybersecurity risk as
    a component of an organization’s overarching enterprise
    risk program. There is also a movement for board-level
    involvement and reporting, resulting in a risk to board
    members’ tenure if they are not considered to be suffi –
    ciently engaged in the oversight of cybersecurity risk
    management and incident response. As an example, in
    2014, Institutional Shareholders Services (ISS) recom-
    mended that shareholders of Target stock vote against all
    seven of the directors that were on the board at the time of
    the highly publicized 2013 breach. Although somewhat
    shocking, it should be inherently obvious that effective

    ■ 44
    collaboration. They also predict that the digi-
    tal industrial economy, and the Internet of
    Things (IoT), will result in even greater diffi –
    culty. However, attempting to scale cyberse-
    curity risk management in isolation from an
    organization’s enterprise risk program only
    exposes the organization to greater risk by
    creating a gap in risk oversight.
    Nearly every company has established
    processes to manage enterprise risk. Larger
    companies often have a chief risk offi cer
    (CRO) or equivalent individual who is inde-
    pendent of the business units and is given
    the authority and responsibility to manage
    the enterprise risk processes. Incorporating
    cybersecurity into the mix of corporately
    managed risks should be a priority. Some
    may argue that cybersecurity is too different
    from the other risks a company faces, such as
    market risk, credit risk, currency risk, or
    physical security risk, to be managed in a
    similar manner. However, although cyberse-
    curity may seem more “technical,” the
    desired outcome of the treatment is the
    same, that is to eliminate, mitigate, transfer,
    or accept risk affecting the company’s future.
    One thing is certain: not all cybersecurity
    risk can be eliminated through controls or
    transferred through insurance, so residual
    risk must accepted. Making good decisions
    requires an integrated, formal approach.
    ■ The cybersecurity risk management process
    There are several key steps that should be
    taken to effectively integrate cybersecurity
    risk management into the company’s enter-
    prise risk management process. This chapter
    doesn’t attempt to explain the details of any
    particular process but instead focuses on com-
    mon attributes that should be used, including
    risk framing and assessment, controls assess-
    ment, risk decision-making, residual risk sign-
    off, risk monitoring, and accountability. Figure 1
    provides a visual of the process. For addi-
    tional details on approaches to cybersecurity
    risk management, the National Institute of
    Standards and Technology (NIST) Computer
    Security Resource Center (CSRC), interna-
    tional standards organizations, and other
    industry sources may be consulted.
    cybersecurity risk management is key to
    meeting the fi duciary responsibilities of cor-
    porate offi cers and the board.
    To ensure success, managing cybersecu-
    rity risk must be an ongoing and iterative
    process, not a one-time, infrequent, or check-
    the-box activity. This area of risk manage-
    ment must grow with the company and
    change with ever-evolving cyber threats.
    Data holdings and information technology
    (IT) systems, and the Internet-connected
    environment in which they operate, change
    at a pace that is more rapid than many of the
    other variables affecting enterprise risk. Not
    only must the right stakeholders be engaged
    at the right levels within an organization,
    but also the right automated tools and
    processes must be in place to support risk
    decision making and monitoring.
    ■ Perfect security is a myth
    As in physical security, there is no such thing
    as perfect IT (cyber) security. All the fi re-
    walls, encryption, passwords, and patches
    available cannot create a zone of absolute
    safety that enables a company to operate
    unimpeded and free of concern regarding
    the cybersecurity threat. However, perfect
    security is not required, or even desired. The
    effects of too little security are fairly obvious.
    However, too much security unnecessarily
    constricts the business’ ability to operate by
    reducing the effectiveness and effi ciency of a
    customer’s access to the company’s products
    and services and unnecessarily constraining
    internal and business-to-business (B2B)
    interactions. Effective risk management
    fi nds the balance between the needs of the
    business to operate and the needs and cost of
    security. In fi nding this balance, the company
    will be able to compete successfully in its
    market while protecting the critical informa-
    tion and assets on which its success relies.
    ■ Enterprise risk management
    Gartner, Inc., the world’s leading IT research
    and advisory company, has found that cyber-
    security risk management programs have
    experienced trouble in scaling with corporate
    initiatives in mobility, cloud, big data, and

    45 ■
    a company has to avoid, mitigate, share,
    transfer, or accept risk. This means that cor-
    porate structure, training and awareness
    programs, physical security, and other
    options should be considered in addition to
    traditional IT controls. Cyber insurance may
    also be considered. Again, the CIO and
    CISO cannot do this alone, and there should
    be active engagement across all the various
    business lines, business support, and IT
    organizations that can contribute to identi-
    fying potential controls and the impact they
    may have on cybersecurity risk.
    Risk Decision Making: A crucial element
    of risk response is the decision-making pro-
    cess. Decisions are made regarding what will
    be done and what will not be done in
    response to each risk. A balance must be
    struck between protecting systems and
    information and the need to effectively run
    the business that relies on them. Other fac-
    tors that should be considered include the
    amount of risk reduction related to imple-
    mentation and maintenance costs and the
    impacts on employee training and certifi ca-
    tion requirements.
    An acceptable course of action is identi-
    fi ed and agreed to by the business, and then
    controls are implemented and initially eval-
    uated for effectiveness. If the controls per-
    form acceptably, then the sign-off and moni-
    toring processes can begin. If not, then a
    new course of action must be developed,
    which may require further controls assess-
    ment to respond to the risk or even addi-
    tional framing and assessment to adjust the
    risk tolerance.
    Risk Framing and Assessment: The ini-
    tial activities in risk management include
    risk framing and assessment and controls
    assessment. CIOs and CISOs have been
    assessing the risk to IT systems for many
    years and are well informed on the range of
    cybersecurity threats and vulnerabilities
    that affect corporate risk. However, the con-
    sequences (i.e., business impact) may or
    may not be well understood, depending on
    how close the relationship between IT and
    the line of business leaders has been in the
    past. The engagement between IT and the
    line of business owners is crucial and must
    result in clarity about the type and amount
    of risk the business is willing to accept with
    respect to the
    confi dentiality (preventing unauthorized
    integrity (preventing unauthorized modifi ca-
    tion or destruction); and
    availability (ensuring data and systems are
    operational when needed)
    of the information and systems on which
    the business relies. Once IT understands the
    business owner’s risk threshold, the CIO
    and CISO can begin planning, implement-
    ing, and assessing the appropriate security
    Controls Assessment: Preparing an
    appropriate response to risk requires the
    assessment of potential controls. Controls
    include all of the tools, tactics, and processes
    Framing &
    Risk Sign-off
    The cybersecurity risk management process

    ■ 46
    treatment plan and/or the accepted level of
    residual risk may require revision. If so, the
    previous process steps should be revisited.
    The frequency of review should be in rela-
    tion to the likelihood and severity of the risk.
    Because most companies have a large num-
    ber of systems, each with their own risk
    register, an automated system is typically
    used to aid monitoring and review.
    Accountability: Last and most important,
    we have to consider accountability.
    Accountability is not about who to blame
    when something goes wrong. As stated earli-
    er, the likelihood of something going wrong is
    high. Accountability ensures a formal risk
    management process is followed and that
    effective decision-making is occurring. One
    person should be accountable for the risk
    management process; however, numerous
    individuals will be
    responsible or
    accountable for
    the various steps,
    and many more
    will be consulted
    and informed
    along the way.
    One option to
    ensure roles and
    responsibilities are
    clearly articulated
    Residual Risk Sign-Off: The sign-off of
    residual risk closes the decision-making pro-
    cess. This should be the role of the business
    because it is the operational customer of the
    risk management process. Additionally, this
    should be a formal, documented activity.
    The decisions on how each risk will be
    treated and/or accepted must be articulated
    in a manner such that the signatory and
    reviewers (i.e., regulators, etc.) can clearly
    understand the risk treatment plan and the
    residual risk being accepted. Once the resid-
    ual risk is formally accepted, the system is
    typically placed into operation. The formal
    recognition of the residual risk also helps
    build a culture of risk awareness in the busi-
    ness units.
    Risk Monitoring: Monitoring risk is an
    ongoing process. Each monitoring activity is
    designed with a purpose, type, and frequen-
    cy of monitoring. Typically, a risk register
    has been developed during the risk framing
    and assessment phase and leveraged
    throughout all steps of the risk management
    process. The register also serves as a refer-
    ence for auditors. The register should con-
    tain the risks that matter most and be rou-
    tinely updated and reviewed with the busi-
    ness over time. If the likelihood or severity
    of consequences changes, or if other physical
    or IT environmental factors change, the
    Process Step CIO CISO LOB CRO CEO Board
    Risk Framing and
    A R C C C C
    Controls Assessment A R C I I I
    Risk Decision-Making C R A C I I
    Residual Risk Sign-Off C R A I I I
    Risk Monitoring A R C C I I
    Accountability R C C A C C
    A responsibility assign-
    ment matrix (RAM), also
    known as RACI matrix/
    ‘reisi:/ or ARCI matrix
    or linear responsibility
    chart (LRC), describes
    the participation by var-
    ious roles in completing
    tasks or deliverables for
    a project or business

    47 ■
    conduct user acceptance testing or experi-
    ence surveys as well.
    ■ Evaluating maturity of an organization’s
    cybersecurity risk management program
    Cybersecurity risk management programs
    aren’t born effective and are not immedi-
    ately prepared to scale with the business.
    Equally important as making effective risk
    management decisions and accepting resid-
    ual risk is the continuous evaluation of the
    process itself. Numerous IT, cybersecurity,
    and business consultants, as well as trade
    associations have published guidance,
    checklists, and suggested questions for
    board members. Although there are many
    ways for the C-suite and board to stay
    engaged, a company’s cybersecurity risk
    management program must continuously
    mature to ensure future success. To under-
    stand a program’s growing maturity, ques-
    tions should be focused on evaluating
    improvements in how well risk is under-
    stood and treated, the effectiveness of busi-
    ness leader and general employee participa-
    tion, how responsive the risk management
    process is to change, and the capability to
    effectively respond to an incident.
    How consistent is the understanding of
    the company’s tolerance for cybersecurity
    risk across the C-suite and senior managers?
    How deep in the organization does this
    understanding go?
    How well do line of business owners
    understand the cybersecurity risks associat-
    ed with their business? Are sound and effec-
    tive risk management and acceptance deci-
    sions being made in a timely manner to meet
    business needs?
    How clearly are roles and responsibilities
    understood, and how well do role owners
    adhere to and fulfi ll their responsibilities?
    Do employees report cybersecurity issues
    and are they incorporated into the risk mon-
    itoring process?
    When threats, vulnerabilities, or other con-
    ditions change, does the risk management
    process respond and, when necessary, make
    sustainable changes to the risk treatment plan?
    is by using a RACI matrix (see insert) to iden-
    tify which person or organization is responsi-
    ble, accountable, consulted, or informed. Table
    1 provides an example but should be adjusted
    to align to the enterprise risk management
    and governance processes of the company.
    ■ Information supporting cybersecurity risk
    No risk management is a precise science,
    including cybersecurity risk management.
    Throughout the risk management process,
    the information required for success has to be
    “good enough” to recognize and understand
    risks to the level necessary to support effec-
    tive decision-making. Although complex
    mathematical models may work to manage
    some risks the company faces, forcibly creat-
    ing objectivity when little or none exists can
    actually result in poor or ineffective decisions
    by creating a focus on the numbers rather
    than on the meaning of the risk analysis. So,
    using big bucket approach categories such as
    low, moderate, and high or unlikely, likely,
    and very likely may be adequate.
    ■ Stakeholder engagement
    A key success factor of ensuring that fi duci-
    ary responsibilities are fulfi lled in a compa-
    ny’s cybersecurity risk management pro-
    gram is the right level of stakeholder engage-
    ment. Leaving the program to the CRO or
    the CIO alone should not be considered due
    diligence. Framing and assessing risk
    requires a clear understanding of corporate
    risk tolerance. The line of business lead
    should have the responsibility to sign off on
    the residual risk, but to make good risk deci-
    sions, the perspectives of other individuals
    and organizations in the company must be
    consulted and taken into consideration.
    Depending on the system(s) for which risk is
    being evaluated, some potential stakehold-
    ers include the CIO, CISO, chief fi nancial
    offi cer (CFO), legal counsel, and other line of
    business owners and external partners with
    supporting or dependent relationships. If
    there is signifi cant potential to affect the cus-
    tomer experience, there may be a need to

    ■ 48 SecurityRoundtable.org
    How effective is the cyber incident
    response plan? Is it regularly exercised and
    are lessons learned from exercises and prior
    incidents leveraged to improve the plan?
    ■ Effective communications
    Long-term effectiveness in cybersecurity risk
    management requires all employees to fulfi ll
    their responsibilities of the security of the
    organization for which they work. Creating
    a company culture of cybersecurity risk
    awareness is critical and is fostered through
    effective communications. Leadership must
    understand how risk is being measured
    across the enterprise, articulate what level is
    acceptable, and balance the cost they are will-
    ing incur for this level of security. Employees
    must understand the basics of the various
    cybersecurity threats and vulnerabilities and
    the importance of their daily decisions and
    actions as they go about their business.
    Regular training and awareness activities are
    essential and can be similar to the “see some-
    thing, say something” campaigns related to
    physical security. Additionally, employees
    must be empowered and rewarded for iden-
    tifying cybersecurity issues.
    Communications are also important to
    build strong relationships, not only through
    customer assurances but also with external
    partners and suppliers. Communicating
    cybersecurity requirements and expecta-
    tions to business partners can improve risk
    decision-making as well as lead to coopera-
    tive approaches to mitigating risk.
    Cybersecurity risks also exist in the supply
    chain, and communicating cybersecurity
    requirements and vetting suppliers for cer-
    tain critical components or services can effec-
    tively reduce risk. Had Target, Home Depot,
    and certain other high-profi le cyberattack
    victims built stronger cybersecurity relation-
    ships with external partners, their risk of
    becoming a victim may have been reduced.
    ■ Conclusion
    C-suites and boards should not fear cyberse-
    curity. By integrating cybersecurity risk man-
    agement into the enterprise risk management
    process and by effectively engaging IT and
    business executives, cybersecurity risk can be
    understood and managed. Building a risk-
    aware culture is important to ensuring the
    quality of the ongoing risk monitoring pro-
    cess. When cyberthreats and vulnerabilities
    are regularly evaluated, employees are
    empowered to report issues and business
    executives are aware of potential impacts to
    their operations, the company’s cybersecuri-
    ty defenses become more agile and respon-
    sive and the overall risk remains under con-
    trol. Finally, continuous evaluation of the risk
    management process, including its effective-
    ness and responsiveness to change and to
    incidents, is necessary to ensure effectiveness
    is sustained.

    Electronic version of this guide and additional content available at: SecurityRoundtable.org
    Cyber risk and the
    board of directors

    51 ■
    Orrick, Herrington & Sutcliffe LLP – Antony Kim, Partner;
    Aravind Swaminathan, Partner; and Daniel Dunne, Partner
    The risks to boards of directors
    and board member obligations
    As cyberattacks and data breaches continue to accelerate
    in number and frequency, boards of directors are focusing
    increasingly on the oversight and management of corpo-
    rate cybersecurity risks. Directors are not the only ones.
    An array of federal and state enforcement agencies and
    regulators, most notably the Department of Justice (DOJ),
    Department of Homeland Security (DHS), Securities
    and Exchange Commission (SEC), Financial Industry
    Regulatory Authority (FINRA), and state Attorneys
    General, among others, identify board involvement in
    enterprise-wide cybersecurity risk management as a cru-
    cial factor in companies’ ability to appropriately establish
    priorities, facilitate adequate resource allocation, and
    effectively respond to cyberthreats and incidents. As SEC
    Commissioner Luis A. Aguilar recently noted, “Boards
    that choose to ignore, or minimize, the importance of
    cybersecurity responsibility do so at their own peril.”1
    Indeed, even apart from the regulators, aggressive plain-
    tiffs’ lawyers, and activist shareholders are similarly
    demanding that boards be held accountable for cyberse-
    curity. Shareholder derivative actions and activist investor
    campaigns to oust directors are becoming the norm in
    high-profi le security breaches.
    Directors have clearly gotten the message. A survey by
    the NYSE Governance Services (in partnership with a
    leading cybersecurity fi rm) found that cybersecurity is
    discussed at 80% of all board meetings. However, the same
    survey revealed that only 34% of boards are confi dent
    about their respective companies’ ability to defend them-
    selves against a cyberattack. More troubling, a June 2015
    study by the National Association of Corporate Directors
    found that only 11% of respondents believed their boards
    possessed a high level of understanding of the risks associ-
    ated with cybersecurity.2 This is a diffi cult position to be in:
    aware of the magnitude of the risks at hand but struggling

    ■ 52
    action or inaction. To maximize their per-
    sonal protection, directors must ensure that,
    if the unthinkable happens and their corpo-
    ration falls victim to a cybersecurity disaster,
    they have already taken the steps necessary
    to preserve this critical defense to personal
    In the realm of cybersecurity, the board of
    directors has “risk oversight” responsibility:
    the board does not itself manage cybersecurity
    risks; instead, the board oversees the corpo-
    rate systems that ensure that management is
    doing so effectively. Generally, directors will
    be protected by the business judgment rule
    and will not be liable for a failure of oversight
    unless there is a “sustained or systemic fail-
    ure of the board to exercise oversight—such
    as an utter failure to attempt to assure a rea-
    sonable information and reporting system
    exists.” This is known as the Caremark test,5
    and there are two recognized ways to fall
    short: fi rst, the directors intentionally and
    entirely fail to put any reporting and control
    system in place; or second, if there is a report-
    ing and control system, the directors refuse to
    monitor it or fail to act on warnings they
    receive from the system.
    The risk that directors will face personal
    liability is especially high where the board
    has not engaged in any oversight of their
    corporations’ cybersecurity risk. This is a
    rare case, but other risks are more prevalent.
    For example, a director may fail to exercise
    due care if he or she makes a decision to
    discontinue funding an IT security project
    without getting any briefi ng about current
    cyberthreats the corporation is facing, or
    worse, after being advised that termination
    of the project may expose the company to
    serious threats. If an entirely uninformed or
    reckless decision to de-fund renders the cor-
    poration vulnerable to known or anticipated
    risks that lead to a breach, the members of
    the board of directors could be individually
    liable for breaching their Caremark duties.
    II. The Personal Liability Risk to Directors
    Boards of directors face increasing litigation
    risk in connection with their responsibilities
    to understand and fi nd solutions to address
    and mitigate them.
    In this chapter, we explore the legal obli-
    gations of boards of directors, the risks that
    boards face in the current cybersecurity
    landscape, and strategies that boards may
    consider in mitigating that risk to strengthen
    the corporation and their standing as dutiful
    I. Obligations of Board Members
    The term “cybersecurity” generally refers to
    the technical, physical, administrative, and
    organizational safeguards that a corporation
    implements to protect, among other things,
    “personal information,”3 trade secrets and
    other intellectual property, the network and
    associated assets, or as applicable, “critical
    infrastructure.”4 This defi nition alone should
    leave no doubt that a board of directors’ role
    in protecting the corporation’s “crown jew-
    els” is essential to maximizing the interests of
    the corporation’s shareholders.
    Generally, directors owe their corporation
    fi duciary duties of good faith, care, and loy-
    alty, as well as a duty to avoid corporate
    waste.3 The specifi c contours of these duties
    are controlled by the laws of the state in
    which the company is incorporated, but the
    basic principles apply broadly across most
    jurisdictions (with Delaware corporations
    law often leading the way). More specifi cal-
    ly, directors are obligated to discharge their
    duties in good faith, with the care an ordi-
    narily prudent person would exercise in the
    conduct of his or her own business under
    similar circumstances, and in a manner that
    the director reasonably believes to be in the
    best interests of the corporation. To encour-
    age individuals to serve as directors and to
    free corporate decision making from judicial
    second-guessing, courts apply the “business
    judgment rule.” In short, courts presume
    that directors have acted in good faith and
    with reasonable care after obtaining all mate-
    rial information, unless proved otherwise; a
    powerful presumption that is diffi cult for
    plaintiffs to overcome, and has led to dis-
    missal of many legal challenges to board

    53 ■
    by failing to act in the face of a reasonably
    known cybersecurity threat. Recent cases
    have included allegations that directors:
    � failed to implement and monitor an
    effective cybersecurity program;
    � failed to protect company assets and
    business by recklessly disregarding
    cyberattack risks and ignoring red fl ags;
    � failed to implement and maintain
    internal controls to protect customers’
    or employees’ personal or fi nancial
    � failed to take reasonable steps to timely
    notify individuals that the company’s
    information security system had been
    � caused or allowed the company to
    disseminate materially false and
    misleading statements to shareholders (in
    some instances, in company fi lings).
    Board members may not be protected from
    liability by the exculpation clauses in their
    corporate charters. Although virtually all
    corporate charters exculpate board mem-
    bers from personal liability to the fullest
    extent of the law, Delaware law, for exam-
    ple, prohibits exculpation for breaches of
    the duty of loyalty, or breaches of the duty
    of good faith involving “intentional mis-
    conduct” or “knowing violations of law.”
    As a result, because the Delaware Supreme
    Court has characterized a Caremark viola-
    tion as a breach of the duty of loyalty,7
    exculpation of directors for Caremark
    breaches may be prohibited. In addition,
    with the myriad of federal and state laws
    that touch on privacy and security, directors
    may also lose their immunity based on
    “knowing violations of law.” Given the
    nature of shareholder allegations in deriva-
    tive litigation, these are important consid-
    erations, and importantly, vary depending
    on the state of incorporation.
    Directors should also be mindful of stand-
    ard securities fraud claims that can be
    brought against companies in the wake of a
    data breach. Securities laws generally pro-
    hibit public companies from making material
    for cybersecurity oversight, particularly in
    the form of shareholder derivative litigation,
    where shareholders sue for breaches of
    directors’ fi duciary duties to the corporation.
    The rise in shareholder derivative suits coin-
    cides with a 2013 Supreme Court decision
    limiting the viability of class actions that fail
    to allege a nonspeculative theory of con-
    sumer injury resulting from identity theft.6
    Because of a lack of success in consumer
    class actions, plaintiffs’ lawyers have been
    pivoting to shareholder derivative litigation
    as another opportunity to profi t from mas-
    sive data breaches.
    In the last fi ve years, plaintiffs’ lawyers
    have initiated shareholder derivative litiga-
    tion against the directors of four corpora-
    tions that suffered prominent data breaches:
    Target Corporation, Wyndham Worldwide
    Corporation, TJX Companies, Inc., and
    Heartland Payment Systems, Inc. Target,
    Heartland, and TJX each were the victims of
    signifi cant cyberattacks that resulted in the
    theft of approximately 110, 130, and 45 million
    credit cards, respectively. The Wyndham
    matter, on the other hand, involved the theft
    of only approximately 600,000 customer
    records; however, unlike the other three
    companies, it was Wyndham’s third data
    breach in approximately 24 months that got
    the company and its directors in hot water.
    The signs point to Home Depot, Inc., being
    next in line. A Home Depot shareholder
    recently brought suit in Delaware seeking to
    inspect certain corporate books and records.
    A “books and records demand” is a common
    predicate for a shareholder derivative action,
    and this particular shareholder has already
    indicated that the purpose of her request is
    to determine whether Home Depot’s man-
    agement breached fi duciary duties by failing
    to adequately secure payment information
    on its data systems, allegedly leading to the
    exposure of up to 56 million customers’ pay-
    ment card information.
    Although there is some variation in the
    derivative claims brought to date, most have
    focused on two allegations: that the directors
    breached their fi duciary duties by making a
    decision that was ill-advised or negligent, or

    ■ 54
    III. Protecting Boards of Directors
    From a litigation perspective, boards of
    directors can best protect themselves from
    shareholder derivative claims accusing them
    of breaching their fi duciary duties by dili-
    gently overseeing the company’s cybersecu-
    rity program and thereby laying the founda-
    tion for invoking the business judgment
    rule. Business judgment rule protection is
    strengthened by ensuring that board mem-
    bers receive periodic briefi ngs on cybersecu-
    rity risk and have access to cyber experts
    whose expertise and experience the board
    members can rely on in making decisions
    about what to do (or not to do) to address
    cybersecurity risks. Most importantly, direc-
    tors cannot recklessly ignore the information
    they receive, but must ensure that manage-
    ment is acting reasonably in response to
    reported information the board receives
    about risks and vulnerabilities.
    Operationally, a board can exercise its
    oversight in a number of ways, including by
    (a) devoting board meeting time to presenta-
    tions from management responsible for
    cybersecurity and discussions on the subject,
    to help the board become better acquainted
    with the company’s cybersecurity posture
    and risk landscape; (b) directing manage-
    ment to implement a cybersecurity plan that
    incentivizes management to comply and
    holds it accountable for violations or non-
    compliance; (c) monitoring the effectiveness
    of such plan through internal and/or exter-
    nal controls; and (d) allocating adequate
    resources to address and remediate identi-
    fi ed risks. Boards should invest effort in
    these actions, on a repeated and consistent
    basis, and make sure that these actions are
    clearly documented in board and committee
    packets, minutes, and reports.
    (a) Awareness. Boards should consider
    appointing a chief information security
    offi cer (CISO), or similar offi cer, and
    meet regularly with that individual
    and other experts to understand the
    company’s risk landscape, threat
    actors, and strategies to address
    statements of fact that are false or mislead-
    ing. As companies are being asked more and
    more questions about data collection and
    protection practices, directors (and offi cers)
    should be careful about statements that are
    made regarding the company’s cybersecurity
    posture and should focus on tailoring cyber-
    security-related risk disclosures in SEC fi l-
    ings to address the specifi c threats that the
    company faces.
    Cybersecurity disclosures are of keen
    interest to the SEC, among others. Very
    recently, the SEC warned companies to use
    care in making disclosures about data secu-
    rity and breaches and has launched inquiries
    to examine companies’ practices in these
    areas. The SEC also has begun to demand
    that directors (and boards) take a more
    active role in cybersecurity risk oversight.
    Litigation is not the only risk that direc-
    tors face. Activist shareholders—who are
    also customers/clients of corporations—
    and proxy advisors are challenging the re-
    election of directors when they perceive that
    the board did not do enough to protect the
    corporation from a cyberattack. The most
    prominent example took place in connection
    with Target’s data breach. In May 2014, just
    weeks after Target released its CEO,
    Institutional Shareholder Services (ISS), a
    leading proxy advisory fi rm, urged Target
    shareholders to seek ouster of seven of
    Target’s ten directors for “not doing enough
    to ensure Target’s systems were fortifi ed
    against security threats” and for “failure to
    provide suffi cient risk oversight” over
    Thoughtful, well-planned director
    involvement in cybersecurity oversight, as
    explained below, is a critical part of a com-
    prehensive program, including indemnifi ca-
    tion and insurance, to protect directors
    against personal liability for breaches.
    Moreover, it can also assist in creating a com-
    pelling narrative that is important in brand
    and reputation management (as well as liti-
    gation defense) that the corporation acted
    responsibly and reasonably (or even more
    so) in the face of cybersecurity threats.

    55 ■
    details of any cybersecurity risk
    management plan should differ from
    company to company, the CISO and
    management should prepare a plan
    that includes proactive cybersecurity
    assessments of the company’s network
    and systems, builds employee
    awareness of cybersecurity risk and
    requires periodic training, manages
    engagements with third parties that
    are granted access to the company’s
    network and information, builds an
    incident response plan, and conducts
    simulations or “tabletop” exercises to
    practice and refi ne that plan. The board
    should further consider incentivizing
    the CISO and management for company
    compliance with cybersecurity policies
    and procedures (e.g., bonus allocations
    for meeting certain benchmarks) and
    create mechanisms for holding them
    responsible for noncompliance.
    (c) Monitor compliance. With an
    enterprise-wide cybersecurity risk
    management plan fi rmly in place,
    boards of directors should direct
    that management create internal and
    external controls to ensure compliance
    and adherence to that plan. Similar
    to internal fi nancial controls, boards
    should direct management to test and
    certify compliance with cybersecurity
    policies and procedures. For example,
    assuming that management establishes
    a policy that software patches be
    installed within 30 days of release,
    management would conduct a patch
    audit, confi rm that all patches have
    been implemented, and have the
    CISO certify the results. Alternatively,
    boards can also retain independent
    cybersecurity fi rms that could be
    engaged by the board to conduct an
    audit, or validate compliance with
    cybersecurity policies and procedures,
    just as they would validate fi nancial
    results in a fi nancial audit.
    (d) Adequate resource allocation. With
    information in hand about what the
    that risk. Appointing a CISO has an
    additional benefi t. Reports suggest that
    companies that have a dedicated CISO
    detected more security incidents and
    reported lower average fi nancial losses
    per incident.8
    Boards should also task a committee
    or subcommittee with responsibility
    for cybersecurity oversight, and devote
    time to getting updates and reports
    on cybersecurity from the CISO on
    a periodic basis. As with audit
    committees and accountants, boards
    can improve oversight by recruiting
    a board member with aptitude for
    the technical issues that cybersecurity
    presents, and placing that individual on
    the committee/subcommittee tasked
    with responsibility for cybersecurity
    oversight. Cybersecurity presentations,
    however, need not be overly technical.
    Management should use established
    analytical risk frameworks, such as the
    National Institute for Standards and
    Technology “Framework for Improving
    Critical Infrastructure Cybersecurity,”
    (usually referred to as the “NIST
    Cybersecurity Framework”) to assess
    and measure the corporation’s current
    cybersecurity posture. These kinds
    of frameworks are critical tools that
    have an important role in bridging
    the communication and expertise gaps
    between directors and information
    security professionals and can also
    help translate cybersecurity program
    maturity into metrics and relative
    relationship models that directors are
    accustomed to using to make informed
    decisions about risk. It is principally
    through their use that directors can
    become sufficiently informed to
    exercise good business judgment.
    (b) Plan implementation and
    enforcement. Boards should require that
    management implement an enterprise-
    wide cybersecurity risk management
    plan and align management’s incentives
    to meet those goals. Although the

    ■ 56 SecurityRoundtable.org
    other government-issued identifi cation;
    (c) fi nancial or credit/debit account
    number plus any security code necessary
    to access the account; or (d) health or
    medical information.
    4. Critical infrastructure refers to systems,
    assets, or services that are so critical
    that a cyberattack could cause serious
    harm to our way of life. Presidential
    Policy Directive 21 (PPD-21) identifi es
    the following 16 critical infrastructure
    sectors: chemicals, commercial facilities,
    communications, critical manufacturing,
    dams, defense industrial base, emergency
    services, energy, fi nancial services, food
    and agriculture, government facilities,
    healthcare and public health, information
    technology, nuclear, transportation, waste,
    and wastewater. See Critical Infrastructure
    Sectors, Department of Homeland
    Security, available at http://www.dhs.
    5. For Delaware corporations, directors’
    compliance with their oversight function
    is analyzed under the test set out in In re
    Caremark Int’l, Inc. Derivative Litig., 698 A.2d
    959 (Del. Ch. 1996).
    6. See Clapper v. Amnesty Int’l USA, 133 S. Ct.
    1138 (2013). Consistent with Clapper, most
    data breach consumer class actions have
    been dismissed for lack of “standing”:
    the requirement that a plaintiff has
    suffered a cognizable injury as a result
    of the defendant’s conduct. That has
    proven challenging for plaintiffs because
    consumers are generally indemnifi ed
    by banks against fraudulent charges on
    stolen credit cards, and many courts have
    rejected generalized claims of injury in the
    form of emotional distress or exposure to
    heighted risk of ID theft or fraud.
    7. Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006).
    8. Ponemon Inst., 2015 Cost of Data Breach
    Study: Global Analysis (May 2015), http://
    company’s cybersecurity risks are,
    and an analysis of its current posture,
    boards should allocate adequate
    resources to address those risks so that
    management is appropriately armed
    and funded to protect the company.
    As criminals continue to escalate the cyber-
    war, boards of directors will increasingly fi nd
    themselves on the frontlines of regulatory,
    class plaintiff, and shareholder scrutiny.
    Directors are well-advised to proactively ful-
    fi ll their risk oversight functions by driving
    senior management toward a well-developed
    and resilient cybersecurity program. In so
    doing, board members will not only better
    protect themselves against claims that they
    failed to discharge their fi duciary duties, but
    will strengthen their respective organizations’
    ability to detect, respond, and recover from
    cybersecurity crises.
    1. SEC Commissioner Luis A. Aguilar,
    Remarks at the N.Y. Stock Exchange,
    Boards of Directors, Corporate Governance
    and Cyber-Risks: Sharpening the Focus
    (June 10, 2014).
    2. Press Release, Nat’l Assoc. of Corp.
    Dir., Only 11% of Corporate Directors
    Say Boards Have High Level of Cyber-
    Risk Understanding (June 22, 2015)
    3. Personal information is defi ned under a
    variety of federal and state laws, as well
    as industry guidelines, but is generally
    understood to refer to data that may be
    used to identify a person. For example,
    state breach notifi cation laws in the U.S.
    defi ne personal information, in general,
    as including fi rst name (or fi rst initial)
    and last name, in combination with
    any of the following: (a) social security
    number; (b) driver ’s license number or

    57 ■
    Fish & Richardson P.C. – Gus P. Coldebella,
    Principal and Caroline K. Simons, Associate
    Where cybersecurity meets
    corporate securities: The SEC’s
    push to regulate public companies’
    cyber defenses and disclosures
    The risks associated with cyberattacks are a large and
    growing concern for American companies, no matter the
    size or the industry. If a company is publicly traded, how-
    ever, there’s a signifi cant additional impetus for execu-
    tives’ cyber focus: the ever-increasing attention the U.S.
    Securities and Exchange Commission (SEC) pays to
    cybersecurity issues. The SEC, as one of the newest gov-
    ernment players in the cybersecurity space, is fl exing its
    regulatory muscles—including by mandating and scruti-
    nizing cybersecurity risk disclosures, prodding compa-
    nies to disclose additional information, and launching
    investigations after a breach comes to light.
    This chapter explores the SEC’s expanding role as
    cyber regulator and the growing nexus between cyberse-
    curity and corporate securities. It gives companies a
    primer on the background and sources of the SEC’s cyber
    authority, discusses tricky disclosure and securities regu-
    lation-related issues, and provides a potential framework
    for companies to think about whether, how, and when
    they should publicly disclose cybersecurity risks, and—
    when the inevitable happens—cyberattacks.
    ■ The SEC’s authority to regulate cybersecurity
    Generally, a company’s duty to disclose material infor-
    mation under U.S. securities laws arises only when a
    statute or SEC rule requires it, and currently, no existing
    laws or rules explicitly refer to disclosure of cyber risks
    or incidents. Even so, the SEC has made it clear that it
    will use authorities already on the books to promote
    cybersecurity in public companies. During the SEC’s
    March 2014 “Cybersecurity Roundtable,” Chairman
    Mary Jo White said that, although the SEC’s “formal
    jurisdiction over cybersecurity is directly focused on
    the integrity of our market systems, customer data pro-
    tection, and disclosure of material information, it is

    ■ 58
    ■ Contours of the SEC’s staff guidance
    Taking its cues from Regulation S-K, the
    Guidance details the key places where cyber-
    security disclosures may appear in a com-
    pany’s 10-Ks and 10-Qs. The main focuses
    are as follows:
    � Risk factors. The company’s risk factors
    are the central place for cyber disclosure.
    If cybersecurity is among the most
    signifi cant factors making investment
    in the company risky, the risk factor
    disclosure should take into account
    “all available relevant information” from
    past attacks, the probability of future
    attacks occurring, the magnitude of
    the risks—including third-party risk,
    and the risk of undetected attacks—
    and the costs of those risks coming
    to pass, including the potential costs
    and consequences resulting from
    misappropriation of IP assets, corruption
    of data, or operational disruption. The
    risk factor should also describe relevant
    insurance coverage.
    � MD&A. If the costs or other consequences
    of a cyberattack represent a material
    trend, demand, or uncertainty “that is
    reasonably likely to have a material effect
    on the registrant’s results of operations,
    liquidity, or fi nancial condition or would
    cause reported fi nancial information
    not to be necessarily indicative of future
    operating results or fi nancial condition,”
    the company should address cybersecurity
    risks and cyber incidents in its
    Management’s Discussion and Analysis
    of Financial Condition and Results of
    Operations (MD&A).
    � Description of business. If one or more
    cyber incidents materially affected the
    company’s products, services, customer
    or supplier relationships, or competitive
    conditions, the Guidance suggests
    disclosure in the “Description of Business”
    � Legal proceedings. If any litigation arose as
    a result of a cyber incident, the Guidance
    suggests disclosure if material.
    incumbent on every government agency to
    be informed on the full range of cybersecu-
    rity risks and actively engage to combat
    those risks in our respective spheres of
    responsibility.” In other words—formal
    jurisdiction notwithstanding—the SEC
    will use every tool it has to combat cyber
    To divine the SEC’s position on cyberse-
    curity, companies and experienced counsel
    may look to a patchwork of non-binding staff
    guidance, SEC offi cials’ speeches, and espe-
    cially staff comment letters on companies’
    public fi lings. Given that cyber disclosures
    can have an effect on corporate reputations
    and stock price, give would-be attackers
    information about vulnerabilities, and trig-
    ger shareholder and other litigation and
    government investigations, companies
    anguish over exactly when, what, and how
    much to disclose. To answer these questions,
    it is crucial to understand the background
    and contours of existing requirements and
    the SEC’s expectations.
    ■ History and background of the SEC’s
    cybersecurity oversight
    In May 2011, Senator Jay Rockefeller sent a
    letter to then-SEC Chairman Mary Schapiro
    urging the SEC to “develop and publish
    interpretive guidance clarifying existing
    disclosure requirements pertaining to infor-
    mation security risk.” Rockefeller, frustrated
    with Congress’s inability to pass cybersecu-
    rity legislation, identifi ed the SEC’s control
    over corporate public disclosure as a vehicle
    to promote security in the absence of legisla-
    tion. Five months after the Rockefeller letter,
    in October 2011, the Division of Corporation
    Finance (the “Division”) issued CF Disclosure
    Guidance: Topic No. 2 (the “Guidance”). Even
    though it’s not an SEC rule itself, the
    Guidance announced the Division’s view
    that—”although no existing disclosure
    requirement explicitly refers to cybersecurity
    risks and cyber incidents”—existing SEC
    rules, such as Regulation S-K, “may impose”
    obligations to disclose cybersecurity and cyber
    events in a company’s periodic reporting.

    59 ■
    staff comments have consistently urged
    companies to disclose past data breaches
    that are not material, even in the face of
    companies’ well-reasoned positions to the
    contrary. For instance, Amazon resisted
    disclosing a past cyberattack at its subsidi-
    ary Zappos because it said the entire
    Zappos operation was not material to
    Amazon’s consolidated revenues. SEC
    staff pushed Amazon to disclose it any-
    way, to place the risk factor “in appropri-
    ate context.” A version of this comment
    appears in letter after letter. By fi rst man-
    dating cybersecurity risk factors via the
    Guidance, and then urging even non-
    material incidents to be included in those
    risk factors for “context,” the staff appears
    to be pushing for disclosure of past cyber
    events notwithstanding materiality.
    Trend 2: Staff will research cyber incidents—
    and ask about them. Division staff is inde-
    pendently monitoring breaches and com-
    paring them with company disclosures.
    When a breach has been reported by a
    company or in the press, but there is no
    concomitant disclosure in the company’s
    fi lings—especially where the company has
    already acknowledged susceptibility to
    attack as a risk factor—the staff will likely
    notice. Citigroup discovered this when the
    staff referred to press reports about a 2011
    breach that supposedly affected 360,000
    credit card accounts and asked why no
    10-Q disclosure was made. The staff ’s
    practice is to ask for analysis supporting
    the conclusion that no further disclosure is
    necessary, including a discussion of mate-
    riality from a fi nancial and reputational
    risk standpoint. Moreover, when a compa-
    ny discloses that a particular kind of
    potential breach may be material, the
    staff’s comment letter almost always asks
    the company to disclose whether that kind
    of breach has already occurred—and if it
    has, to disclose it, material or not (see
    Trend 1). Taken together, these trends sug-
    gest that the SEC may be using its author-
    ity to make up for the lack of a federal
    breach notifi cation law.
    � Financial statements. If signifi cant costs
    are associated with cyber preparedness
    or remediation, they should appear in the
    company’s fi nancial statements.
    ■ SEC post-guidance practice
    Of course, guidance is just guidance unless
    the SEC, through its actions, gives it teeth.
    And the SEC has. Under Sarbanes-Oxley,
    the Division reviews every public compa-
    ny’s reports at least once every three years,
    and the Division has focused intensely
    on cyber disclosures since the Guidance—
    especially risk factor disclosures.
    Responding to a follow-up letter from
    Senator Rockefeller requesting that
    the SEC enshrine the Guidance as a formal
    SEC rule, Schapiro’s successor Mary Jo
    White took pains to stress that active staff
    review of cybersecurity—using existing
    disclosure rules—was an SEC priority.
    In her May 1, 2013 letter, White revealed
    that the Division had already issued
    approximately 50 cyber-related comment
    letters. And many more have been sent
    since then. Google, Amazon, AIG, Quest
    Diagnostics, and Citigroup are just some of
    the scores of public companies that
    received letters from staff urging enhanced
    disclosures of their cyber risks. The lessons
    we can learn from those exchanges are
    detailed below.
    ■ Tips for preparing 10-K and 10-Q cyber
    According to a recent survey by Willis,
    87% of Fortune 500 companies claim to
    have complied with the Guidance. The
    SEC’s “enforcement” of it through com-
    ment letters has given it the muscle and
    imprimatur of a rule. Certain noteworthy
    trends that emerge from these letters
    Trend 1: Staff pushes for all cyber incidents
    to be disclosed—material or not. Materiality
    is the touchstone of disclosure. Even so,
    and even though the Guidance calls for
    disclosure of “cyber incidents… that are
    individually, or in the aggregate, material,”

    ■ 60
    enumerated material corporate events, such
    as termination of executive offi cers or chang-
    es in auditors, must be reported on a “current
    basis” on Form 8-K. However, no currently-
    existing securities law or rule expressly
    requires cyberattacks—material or other-
    wise—to be reported on Form 8-K. Generally,
    reporting cyber events is entirely voluntary.
    Companies that do so use Form 8-K’s Item
    8.01, “Other Events,” which is used to volun-
    tarily report events that the company consid-
    ers to be of importance to investors. Public
    companies must navigate issues such as
    materiality, selective disclosure, trading, and
    effect on stock price, all in an environment
    where disclosure of a cyber event is almost
    sure to draw a lawsuit, a government investi-
    gation, or other unwanted scrutiny. No one-
    size-fi ts-all answer exists—it is almost always
    a judgment call. In this section, we detail
    some of the questions and analysis that com-
    panies should consider regarding whether to
    disclose an attack on Form 8-K, and if so,
    when. One way to think about these ques-
    tions is outlined in the decision tree on the
    next page (Figure 1).
    Why consider disclosure if you don’t have
    to? Even if no rule mandates disclosure,
    companies and experienced counsel know
    that there are frequently upsides to disclo-
    sure—especially in a world where securi-
    ties litigation, derivative suits, and enforce-
    ment actions are lurking. Instead of pro-
    voking shareholder litigation, might an
    announcement ward it off? Can an 8-K
    eliminate a plaintiff’s or regulator ’s argu-
    ment that an insider traded on the basis on
    material non-public information? The chart
    on the next page (Table 1) lays out some of
    the possible advantages—along with the
    more well-known disadvantages—that com-
    panies should consider.
    Is the cyberattack material? The determina-
    tion of whether a cyber event is material is
    not clear-cut. First, the Supreme Court has
    rejected a bright-line, quantitative rule for
    materiality—instead reaffi rming Basic v.
    Levinson’s formulation that any nonpublic
    information that signifi cantly alters the total
    Trend 3: Staff is interested not only in the
    disclosure, but the pre-disclosure process. As
    Chairman White has stated, even with the
    absence of a direct law or regulation directly
    compelling companies to adopt strict
    cybersecurity measure, the SEC is exercis-
    ing its power to indirectly prod companies
    to analyze and strengthen their cybersecu-
    rity programs through issuing disclosure
    guidance and bringing investigations,
    enforcement actions, and litigation against
    companies that fall short. In this way the
    SEC has taken on a larger mission than
    simply requiring disclosure—it is using its
    existing authorities to steer companies to
    engage in a deep, searching process to
    evaluate cyber risk. Whether or not you
    think the SEC is the appropriate regulator
    of this area, such a searching analysis is
    important to securing a company’s digital
    assets. Management should engage in and
    document its analysis of the effects of cyber
    incidents on the company’s operations,
    with special attention to probability of
    various types of attacks and their potential
    cost, from a quantitative and qualitative
    standpoint. It should do so not just to
    weather the storm of a possible SEC inquiry,
    but because such an analysis brings neces-
    sary executive-level oversight to a crucial
    area of enterprise risk.
    Trend 4: Third-party risk is on the staff’s mind.
    Staff is encouraging companies to look
    beyond their four walls to the cyber risk
    posed by the use of vendors. Staff will ask
    whether the company’s vendors have experi-
    enced cyberattacks, and request assessment—
    and disclosure—if a breach at a third-party
    vendor could have a material effect on the
    company. The SEC likely believes that if
    public companies are required to disclose
    risks in their supply chain in addition to their
    own, third-party cybersecurity will improve
    as a result.
    ■ In the heat of battle: 8-K disclosure
    questions during an attack
    Of course, 10-Ks and 10-Qs are not the only
    reports public companies produce—certain

    61 ■
    Really? Are you sure?
    Will it trigger securities or
    other litigation
    or investigations?
    Will it compromise
    Will the disclosure itself
    harm the company?
    Will insiders trade
    while in possession of
    this information?
    Does it make prior
    statement misleading?
    Does the cost and
    consequence of the breach
    substantially affect you
    or your financial outlook?
    Not sure
    Not sure
    Maybe not
    No No
    Is it material?
    Will you disclose
    anyway via website,
    to third parties, etc.?
    Is discovery of the breach
    (by the gov’t or public)
    likely or inevitable?
    Is there a separate
    obligation to disclose?
    (state PII laws, trading
    Is there a potential
    Regulation FD issue?
    Fish & Richardson 8-k Disclosure Decision Tree
    Pros Cons
    1. May eliminate potential class
    plaintiffs’ argument that
    information was not known
    to the market or was not
    adequately disclosed, cutting
    off potential securities claims
    to the date of the 8-K
    2. May counter allegations that
    insiders were trading on
    basis of material nonpublic
    information about the breach
    (so long as insider trades
    happen after 8-K issued)
    1. If incident is truly not material and
    was not going to be discovered,
    could needlessly cause reputational
    harm and draw litigation and other
    unwanted scrutiny
    2. May be seen as concession that
    incident was material (although
    companies frequently disavow
    materiality in 8-K), and even if not
    material, may make incident seem
    bigger than it is

    ■ 62
    mix of information available to shareholders
    could well be material. Second, even when
    the scope of an attack has come into focus,
    the effects of cyberthefts are frequently hard
    to quantify. Although it is relatively easy for
    a company to decide to announce a breach of
    customer personal information (because the
    breach will likely have to be disclosed under
    state law and because remediation costs may
    be signifi cant), what should a company do
    about, for example, theft of trade secrets,
    such as source code for a big-selling software
    product? Without more (such as the thieves’
    development and marketing of a competing
    product), such a theft may not have a mate-
    rial effect on the company’s fi nancial state-
    ments. Adding to the diffi cult nature of this
    inquiry: companies must be aware that an
    initial determination that the event is not
    material—if the event later becomes public—
    is likely to be critically reexamined with
    20/20 hindsight, months or years after the
    event, by shareholders, plaintiffs’ lawyers,
    regulators, and the press. So careful analysis
    and documentation of the company’s deter-
    mination are important.
    Is there a duty to correct or to update? If the
    company made public statements about its
    information systems or other aspects of its
    operations affected by a cyberattack, and the
    statements were inaccurate or misleading
    when made, the company has an obligation
    to correct the statements—even if it only
    learned of the inaccuracy afterwards. Failure
    to comply with this “duty to correct” can pro-
    vide plaintiffs’ lawyers with fodder for
    a suit alleging that purchasers or sellers relied
    on the inaccurate statement to their detri-
    ment. Moreover, even if the company’s for-
    ward-looking statements were accurate when
    made, some courts have found a “duty to
    update” when circumstances change (such as
    when an attack happens), and the forward-
    looking statement becomes inaccurate.
    Do you have another legal obligation to dis-
    close? Other disclosure requirements may be
    at play, such as any state notifi cation laws that
    require companies to inform affected individ-
    uals if their personally identifi able informa-
    tion (PII) was stolen during an attack. If the
    company is listed on an exchange such as
    NYSE or NASDAQ, the trading markets
    themselves may also have rules requiring
    timely notifi cation of material events. Frankly,
    it is easier for a company to decide to announce
    a data breach on Form 8-K—and to accrue the
    benefi ts to fi ling an 8-K—if it is going to dis-
    close for another reason, or already has.
    Pros Cons
    3. Can eliminate a potential Reg
    FD selective disclosure issue if
    company has to reveal incident
    to employees, third parties,
    4. Quick, full disclosure may stave
    off regulatory scrutiny (but see
    5. Allows company to own the
    message, rather than giving
    control of the message to
    someone else
    3. May trigger stock price drop—and if
    so, likely to draw shareholder litigation
    claiming that pre-8-K disclosures were
    materially misleading
    4. Even if no stock price drop, may
    draw other types of litigation and
    regulatory scrutiny
    5. Could draw other hackers to test
    company’s defenses
    Pros Cons
    3. Can eliminate a potential Reg
    FD selective disclosure issue if
    company has to reveal incident
    to employees, third parties,
    4. Quick, full disclosure may stave
    off regulatory scrutiny (but see
    5. Allows company to own the
    message, rather than giving
    control of the message to
    someone else
    3. May trigger stock price drop—and if
    so, likely to draw shareholder litigation
    claiming that pre-8-K disclosures were
    materially misleading
    4. Even if no stock price drop, may
    draw other types of litigation and
    regulatory scrutiny
    5. Could draw other hackers to test
    company’s defenses
    Pros Cons
    3. Can eliminate a potential Reg
    FD selective disclosure issue if
    company has to reveal incident
    to employees, third parties,
    4. Quick, full disclosure may stave
    off regulatory scrutiny (but see
    5. Allows company to own the
    message, rather than giving
    control of the message to
    someone else
    3. May trigger stock price drop—and if
    so, likely to draw shareholder litigation
    claiming that pre-8-K disclosures were
    materially misleading
    4. Even if no stock price drop, may
    draw other types of litigation and
    regulatory scrutiny
    5. Could draw other hackers to test
    company’s defenses
    Pros Cons
    3. Can eliminate a potential Reg
    FD selective disclosure issue if
    company has to reveal incident
    to employees, third parties,
    4. Quick, full disclosure may stave
    off regulatory scrutiny (but see
    5. Allows company to own the
    message, rather than giving
    control of the message to
    someone else
    3. May trigger stock price drop—and if
    so, likely to draw shareholder litigation
    claiming that pre-8-K disclosures were
    materially misleading
    4. Even if no stock price drop, may
    draw other types of litigation and
    regulatory scrutiny
    5. Could draw other hackers to test
    company’s defenses
    Pros Cons
    3. Can eliminate a potential Reg
    FD selective disclosure issue if
    company has to reveal incident
    to employees, third parties,
    4. Quick, full disclosure may stave
    off regulatory scrutiny (but see
    5. Allows company to own the
    message, rather than giving
    control of the message to
    someone else
    3. May trigger stock price drop—and if
    so, likely to draw shareholder litigation
    claiming that pre-8-K disclosures were
    materially misleading
    4. Even if no stock price drop, may
    draw other types of litigation and
    regulatory scrutiny
    5. Could draw other hackers to test
    company’s defenses
    Pros Cons
    3. Can eliminate a potential Reg
    FD selective disclosure issue if
    company has to reveal incident
    to employees, third parties,
    4. Quick, full disclosure may stave
    off regulatory scrutiny (but see
    5. Allows company to own the
    message, rather than giving
    control of the message to
    someone else
    3. May trigger stock price drop—and if
    so, likely to draw shareholder litigation
    claiming that pre-8-K disclosures were
    materially misleading
    4. Even if no stock price drop, may
    draw other types of litigation and
    regulatory scrutiny
    5. Could draw other hackers to test
    company’s defenses
    Pros Cons
    3. Can eliminate a potential Reg
    FD selective disclosure issue if
    company has to reveal incident
    to employees, third parties,
    4. Quick, full disclosure may stave
    off regulatory scrutiny (but see
    5. Allows company to own the
    message, rather than giving
    control of the message to
    someone else
    3. May trigger stock price drop—and if
    so, likely to draw shareholder litigation
    claiming that pre-8-K disclosures were
    materially misleading
    4. Even if no stock price drop, may
    draw other types of litigation and
    regulatory scrutiny
    5. Could draw other hackers to test
    company’s defenses
    Pros Cons
    3. Can eliminate a potential Reg
    FD selective disclosure issue if
    company has to reveal incident
    to employees, third parties,
    4. Quick, full disclosure may stave
    off regulatory scrutiny (but see
    5. Allows company to own the
    message, rather than giving
    control of the message to
    someone else
    3. May trigger stock price drop—and if
    so, likely to draw shareholder litigation
    claiming that pre-8-K disclosures were
    materially misleading
    4. Even if no stock price drop, may
    draw other types of litigation and
    regulatory scrutiny
    5. Could draw other hackers to test
    company’s defenses
    Pros Cons
    3. Can eliminate a potential Reg
    FD selective disclosure issue if
    company has to reveal incident
    to employees, third parties,
    4. Quick, full disclosure may stave
    off regulatory scrutiny (but see
    5. Allows company to own the
    message, rather than giving
    control of the message to
    someone else
    3. May trigger stock price drop—and if
    so, likely to draw shareholder litigation
    claiming that pre-8-K disclosures were
    materially misleading
    4. Even if no stock price drop, may
    draw other types of litigation and
    regulatory scrutiny
    5. Could draw other hackers to test
    company’s defenses
    Pros Cons
    3. Can eliminate a potential Reg
    FD selective disclosure issue if
    company has to reveal incident
    to employees, third parties,
    4. Quick, full disclosure may stave
    off regulatory scrutiny (but see
    5. Allows company to own the
    message, rather than giving
    control of the message to
    someone else
    3. May trigger stock price drop—and if
    so, likely to draw shareholder litigation
    claiming that pre-8-K disclosures were
    materially misleading
    4. Even if no stock price drop, may
    draw other types of litigation and
    regulatory scrutiny
    5. Could draw other hackers to test
    company’s defenses

    63 ■
    window for insiders. Even after the inci-
    dent’s details are known, if the company is
    leaning against declaring the incident
    material, the question is whether to dis-
    close the incident—material or not—on
    Form 8-K, so no later allegation of insider
    trading can stick. (Of course, if the incident
    is material, no trading by insiders should
    occur until information about the incident
    is made public.)
    When to disclose? The decision to disclose
    is only half of the 8-K equation—another
    question is, when? Target took two months
    after the world knew of its massive data
    breach to issue an 8-K; Morningstar, which
    releases an 8-K regularly on the fi rst Friday
    of every month, disclosed its 2012 breach a
    little more than one month after becoming
    aware of it. Some companies, such as health
    insurer Anthem, choose instead to wait
    until the next periodic report. A challenge
    facing a victim company is to balance the
    benefi ts of prompt disclosure against the
    potential downsides. Because a disclosure
    should be accurate and not misleading
    when made, a company should grasp the
    scope of the cyber incident before disclos-
    ing. In a typical breach, however, it is rare
    for an entity to be able to immediately
    assess the attack’s scope—investigations
    take time. Therefore, a factor to consider in
    deciding when to disclose is the pace and
    progress of the post-breach investigation,
    which will allow the company to under-
    stand the extent of the attack. A company
    confronts an unenviable disclosure dilem-
    ma: disclose based on the state of the world
    as you know it right now, and later be
    accused of not telling the whole story? Or
    disclose when you have a better grasp of
    what actually happened, but face accusa-
    tions of allowing earlier (and potentially
    rosier) cybersecurity disclosures to persist
    uncorrected? Generally, companies should
    resist falling into the immediate disclosure
    trap, because in our experience a cyber
    incident looks very different at the end of
    the fi rst week than it does at the end of the
    fi rst day. Furthermore, the company will
    Are you going to disclose anyway? Is the
    incident likely to become widely known? Absent
    a mandatory disclosure requirement, a
    company may still have reasons to disclose
    the attack to stakeholders. There may be
    contractual obligations to customers or
    other third parties to communicate about
    breaches involving their information. Even
    without a contractual obligation, a breach
    may affect a company’s vendors, suppliers,
    or partners, and the company may choose
    to disclose the incident to them. A sound
    operating assumption is that once the com-
    pany discloses an incident to even a single
    third party, it is likely to become widely
    known. Thus, the company should have
    a coordinated, unifi ed disclosure strategy
    to ensure that all interested parties are
    informed in a consistent manner, and very
    close in time. Companies can use affi rma-
    tive disclosure to mitigate any reputational
    harm or embarrassment that could arise
    from having the narrative created on your
    behalf by the media, security researchers,
    hackivists, or worse.
    Any such disclosure raises potential issues
    under the SEC’s Regulation Fair Disclosure,
    or Reg FD. Reg FD prohibits companies from
    selectively disclosing material non-public
    information to analysts, institutional inves-
    tors, and certain others without concurrently
    making widespread public disclosure. Many
    companies that communicate with third
    parties—as did J.P. Morgan after its October
    2014 breach—will issue a Form 8-K to make
    sure their communications do not violate
    Reg FD. It is worth considering whether dis-
    closures on a company’s website, or other-
    wise to customers, vendors, or other parties,
    trigger a Reg FD requirement.
    What to do about trading? Another reason
    that the materiality determination is a
    tricky one is that insiders in possession of
    material nonpublic information may not
    trade while in possession of that informa-
    tion. If there is even a chance that the cyber
    incident may be material, an early call that
    a public company general counsel must
    make is whether to close the trading

    ■ 64 SecurityRoundtable.org
    revealed that the SEC was among the gov-
    ernment agencies investigating the 2013
    data breach, including “how it occurred, its
    consequences, and our responses.”
    With the growing threat of cyberattacks
    and mounting pressure from Congress and
    the public, future regulatory and enforce-
    ment actions are almost assured. Companies
    should be prepared for additional scrutiny,
    review their existing disclosures in light of
    the Guidance and the SEC’s stated priori-
    ties, and apply these principles to the pub-
    lic disclosure and related questions that
    will arise post-breach.
    not want to have to correct itself after mak-
    ing its cyber disclosure—it will want to get
    it right the fi rst time.
    ■ SEC cybersecurity enforcement
    The SEC has not yet brought an enforce-
    ment action against a public company
    related to its cybersecurity disclosures. It
    has, however, opened investigations look-
    ing not only into whether companies ade-
    quately prepared for and responded to
    cyber incidents but also as to the suffi ciency
    of their disclosures relating to the breaches.
    Target’s February 2014 Form 8-K fi ling

    65 ■
    Internet Security Alliance, NACD – Larry Clinton, CEO
    of ISA and Ken Daly, President and CEO of NACD
    A cybersecurity action plan
    for corporate boards
    With the majority of cyber networks in the hands of the
    private sector, and the threats to these systems apparent and
    growing, organizations need to create an effective method
    to govern and manage the cyber threat. This responsibility
    ultimately falls to the corporate board of directors. In fact, the
    word cyber is derived from the same Greek word, kybernan,
    from which the word govern also derives.
    ■ How is cyber risk different from other corporate risks?
    Although corporate boards have a long history of man-
    aging risks, the digital age may create some unique
    challenges. To begin with, the nature of corporate asset
    value has changed signifi cantly in the last 20 years.
    Eighty percent of the value of Fortune 500 companies
    now consists of intellectual property (IP) and other
    With this rapidly expanding “digitalization” of assets
    comes a corresponding digitalization of corporate risk.
    However, many of the traditional assumptions and under-
    standings about physical security don’t apply to securing
    digital assets.
    First, unlike many corporate risks, such as natural dis-
    asters, cybersecurity risks are the product of conscious
    and often better-resourced attackers, including nation
    states and state affi liates. This means that the attack
    methods, like the technology, will change constantly,
    responding to defensive techniques and often in a highly
    strategic fashion. This characteristic of cyberattacks
    means that the risk management system must be a
    dynamic 24/7/365 fl exible process—a full team sport—
    requiring participation from all corners of the organiza-
    tion rather than being the primary responsibility of any
    one particular entity.
    Second, with many traditional human-based corporate
    risks, such as criminal activity, companies can plug into a

    ■ 66
    However, many digital technologies and
    business processes that drive business econ-
    omies come with major cybersecurity risks,
    which as discussed elsewhere (see Chapter 6),
    can put the corporation at a long-term cata-
    strophic risk.
    This means that cyber risk must be con-
    sidered not as an addendum to a business
    process or asset, but as a central feature of
    the business process. In the modern world,
    cybersecurity is as central to business
    decisions as legal and financial considera-
    tions. Thus, a board’s consideration of
    fundamental business decisions such as
    mergers, acquisitions, new product devel-
    opment, partnerships, and marketing
    must include cybersecurity.
    ■ Are corporate boards concerned about
    Although some critics have assumed that the
    publicity from high-profi le corporate breaches
    is prima facie evidence of corporate inatten-
    tion to cybersecurity, the evidence does not
    support that proposition.
    Corporate spending on cybersecurity has
    doubled over the past few years and now
    totals more than $100 billion a year. By com-
    parison, the total annual budget for the U.S.
    Department of Homeland Security is only
    about $60 billion—including TSA and
    immigration—with only $1 billion for cyber-
    security. Total U.S. government spending on
    cybersecurity is generally estimated to be
    near $16 billion. Moreover, recent surveys
    indicate cybersecurity now tops the list of
    issues corporate boards must face—replacing
    leadership succession, and two thirds of
    board members are seeking even more time
    and attention paid to cybersecurity.
    Although the data seems to show conclu-
    sively that corporate boards are aware of
    and becoming ever more interested in cyber-
    security, the novelty and complexity of the
    issue has led to a fair amount of uncertainty
    as to how to approach it.
    One recent survey found that despite the
    “spotlight on cyber security getting bright-
    er” that nearly half of directors had not dis-
    cussed the company’s crisis response plan
    well-defi ned legal superstructure including
    enforcement power, which can greatly assist
    the organization in defending itself.
    Unfortunately, in the cyber world this sys-
    tem is dramatically underdeveloped. In
    addition to the major problem of many
    attackers actually receiving state support,
    the international criminal legal system has
    not evolved to the point where there is any-
    thing close to the cooperation and coordina-
    tion generally available in the physical
    world. As a result, current estimates are that
    law enforcement is able to apprehend and
    convict less than 2% of cyber criminals.
    Third, corporate cybersecurity is not con-
    fi ned to traditional corporate boundaries.
    Whereas in the physical world a particularly
    conscientious organization might be able
    defend itself by having an especially strong
    security perimeter, the cyber world is essen-
    tially borderless. A fundamental characteristic
    of cyber systems is that they are interconnect-
    ed with other, independent systems. For
    example, the highly publicized breach of
    Target was accomplished by exploiting vul-
    nerabilities in Target’s air conditioner vendor.
    In another well-publicized case, a well-
    defended energy installation was compro-
    mised by malware placed on the online menu
    of a Chinese restaurant popular with employ-
    ees who used it to order lunch. This means
    that a board must consider not only their
    “own” security but that of all the entities with
    whom they interconnect, including vendors,
    customers, partners, and affi liates.
    Fourth, unlike many physical risks, in
    which the security effort is to create a perim-
    eter around an asset, so many modern corpo-
    rate assets are in fact digital. Cyber risk
    must be considered as an integral part of the
    business process. A good deal of modern
    corporate growth, innovation, and profi ta-
    bility is inherently tied to digital technology.
    Rare is the entity that has by now not built
    the benefi ts of digitalization into their busi-
    ness plan in many different ways, including
    online marketing, remote business produc-
    tion, employee use of personal mobile
    devices, cloud computing, big data, out-
    sourced process, and off-site employment.

    67 ■
    free, even as a goal. The goal is to keep your
    system healthy enough so that you can fi ght
    off the germs that will inevitably attack it.
    When you do get sick, as we all eventually
    do, you detect and understand the infection
    promptly and accurately and get access to
    the appropriate expertise and treatment so
    that you can return to your normal routine as
    soon as possible—ideally wiser and stronger.
    Thinking of cybersecurity narrowly as an
    IT issue to be addressed simply with techni-
    cal solutions is a fl awed strategy. The single
    biggest vulnerability in cyber systems is
    people. Insiders, whether they are poorly
    trained, distracted, angry, or corrupted, can
    compromise many of the most effective tech-
    nical solutions.
    Building on the NACD model, the Institute
    of Internal Auditors (IIA) extended NACD’s
    principle 1 by commenting that the board
    should receive an internal annual health
    check of the organization’s cybersecurity
    program that covers all domains of the
    organization’s cybersecurity, including an
    assessment of if the enterprise risk levels
    have improved or deteriorated from year to
    year, and comments specifically that
    “Sarbanes-Oxley compliance provides little
    assurance of an effective security program
    to manage cyber risks.”
    2. Directors must understand the legal
    implications of cyber risk.
    The legal situation with respect to cyberse-
    curity is unsettled and quickly evolving.
    Boards should be mindful of the potential
    legal risks posed to the corporation and
    potentially to the directors on an individual
    or collective basis. For example, high-profi le
    attacks may spawn lawsuits, including
    shareholder derivative suits alleging that the
    organization’s board neglected its fi duciary
    duty by failing to take steps to confi rm the
    adequacy of the company’s protections
    against breaches of customer data. To date
    juries have tended not to fi nd for the plain-
    tiffs in these cases, but that could change
    with time and boards need to be aware of the
    risk of court suits.
    in the event of a breach, 67% had not dis-
    cussed the company’s cyber insurance cov-
    erage, nearly 60% had not discussed engag-
    ing an outside cybersecurity expert, more
    than 60% had not discussed risk disclosures
    in response to SEC guidance, and slightly
    more than 20% had discussed the National
    Institute of Standards and Technology
    (NIST) cybersecurity framework.
    ■ A corporate board action plan
    for cybersecurity
    In an effort to fi ll the gap between awareness
    and targeted action, The National Association
    of Corporate Directors (NACD), in conjunc-
    tion with AIG and the Internet Security
    Alliance, published their fi rst Cyber Risk
    Oversight Handbook for corporate boards in
    June 2014. The handbook was the fi rst pri-
    vate sector document endorsed by the U.S.
    Department of Homeland Security as well as
    the International Audit Foundation and is
    available free of charge either through DHS
    or NACD. It identifi ed fi ve core principles
    for corporate boards to enhance their cyber
    risk oversight.
    The fi ve principles can be conceptualized
    into two categories. Principles 1, 2, and 3 deal
    with board operations. The fi nal two princi-
    ples deal with how the board should handle
    the senior management.
    1. Understand that cybersecurity is an
    enterprise-wide risk management issue.
    The board has to oversee management in
    setting the overall cyber strategy for the
    organization, including how cybersecurity is
    understood in terms of the business. It is
    critical that the board not approach the topic
    simply by thinking, “What if we have a
    breach?” Virtually every organization will be
    successfully breached. The board has to
    understand the issue is how to manage the
    risks caused by breaches, not to focus solely
    on how to prevent them.
    One useful metaphor is to think of corpo-
    rate cybersecurity in a similar fashion to how
    we think of our own personal health.
    Obviously, it is impractical to be totally germ

    ■ 68
    some boards are now recruiting cyber pro-
    fessionals for board seats to assist in analyz-
    ing and judging staff reports. Another tech-
    nique is to schedule periodic “deep-dives”
    for the full board. Many organizations have
    delegated the task to a special committee—
    often audit but sometimes a risk or even
    technology committee—although no one
    approach has been demonstrated clearly
    superior. A proliferation of committees can
    exacerbate the board time problem, and due
    care must be paid to overload any one com-
    mittee, such as audit, with issues that are not
    inherently in their expertise lane.
    Still another technique is to empower the
    board with the right questions to ask and
    require that the outside or internal experts
    answer the questions in understandable ter-
    minology. The NACD Cyber Risk Handbook
    provides lists of 5 to 10 simple and direct
    questions for board members covering the
    key issues such as strategy and operation
    readiness, situational awareness, incident
    response, and overall board “cyber literacy.”
    At minimum, boards can take advantage
    of the company’s ongoing relationships
    with law enforcement agencies and regu-
    larly make adequate time for cybersecurity
    at board meetings. This may be through
    interaction with CISOs or as part of the
    audit or similar committee reports. More
    appropriately, boards, as discussed above,
    should integrate these questions into gen-
    eral business discussions.
    The fi nal two principles offered by NACD
    focus on how boards should deal with senior
    4. Directors need to set an expectation that
    management have an enterprise-wide
    cyber risk management framework in
    It is important that someone be thinking
    about cybersecurity, from an enterprise-wide
    perspective (i.e., not just IT) every day.
    Corporations have introduced a variety of
    models, chief risk offi cer, chief fi nancial
    offi cer, chief operating offi cer as well as the
    more traditional CIO and CISO models. The
    Prudent steps for directors to take include
    maintaining records of discussions related to
    cyber risks at the board and key committee
    meetings. These records may include updates
    about specifi c risk as well as reports about
    the company’s overall security program and
    how it is addressing these risks. Evidence
    that board members have sought out special-
    ized training to educate themselves about
    cyber risk may also be helpful in showing
    due diligence.
    No one standard applies, especially for
    organizations who do business in multiple
    jurisdictions. Some countries, including the
    U.S. have received specifi c guidance from
    securities regulators. Many countries have
    passed a variety of laws, some of which may
    be confusing or confl icting with mandates in
    other countries. It is critical that organiza-
    tions systematically track the evolving laws
    and regulations in their markets and analyze
    their legal standing.
    Again, building on the NACD model, IIA
    emphasizes that this legal analysis must be
    extended to third parties and recommends
    that the board get a report of all the critical
    data that are being managed by third-party
    providers and be sure the organization has
    appropriate agreements in place, including
    audits of these providers. The board ought
    to communicate that a “chain of trust” is
    expected with these third-party providers
    that they have similar agreements with their
    down-stream relationships.
    3. Board members need adequate access to
    cybersecurity expertise.
    Most board meetings are incredibly pressed
    for time, and often there are multiple issues
    and people who feel they need more board
    time. Add to this the fact that most acknowl-
    edge that directors lack the needed expertise
    to evaluate cyber risk, and the board is left
    with the conundrum of how to get enough
    time to become properly educated to address
    this serious issue.
    One answer is to increase the use of out-
    side experts working directly with the board
    to provide independent assessments. Indeed,

    69 ■
    At the people level, it is important to follow
    leading practices for managing personnel,
    especially with respect to hiring and fi ring.
    Ongoing cybersecurity training is similarly
    important and most effective if cybersecurity
    metrics are fully integrated into employee
    evaluation and compensation methods.
    Of special attention is the inclusion of
    senior and other executive level personnel
    who, research has shown, are highly valued
    targets and often uniquely lax in following
    through on security protocols.
    The asset management process then can
    be considered in light of the business prac-
    tices that may create liabilities.
    For example, the expansion of the number
    of access points brought on by the explosion
    in mobile devices and the emerging “Internet
    of Things” (connecting cars, security camer-
    as, refrigerators, etc. to the Internet) really
    increases vulnerability (see Chapter 6).
    Still a different type of vulnerability can
    occur in the merger and acquisition process.
    Here management may feel pressure to gen-
    erate value through the merging of highly
    complex and technical information systems
    on accelerated pace. In discussions with
    management, the board must carefully
    weigh the economics of the IT effi ciencies
    the company seeks with the potential to miss
    or create vulnerability by accessing a system
    that is not well enough understood or had its
    defi ciencies mitigated.
    5. Based on the plan, management needs to
    have a method to assess the damage of a
    cyber event. They need to identify which
    risks can be avoided, mitigated, accepted,
    or transferred through insurance.
    Organizations must identify for the board
    which data, and how much, the organization
    is willing to lose or have compromised. Risk
    mitigation budgets then must be allocated
    appropriately between defending against
    basic and advanced risks.
    This principle highlights the need for the
    “full-team” approach to cybersecurity
    advocated under principle 4. For example,
    the marketing department may determine
    important aspect to ensure, however, is that
    the risk management is truly organization
    wide, including the following steps:
    � establish leadership with an individual
    with cross-departmental expertise
    � appoint a cross-organization cyber risk
    management team including all relevant
    stakeholders (e.g., IT, HR, compliance,
    GC, fi nance, risk)
    � meet regularly and report directly to the
    � develop an organization-wide cyber
    risk management plan with periodic
    tests reports and refi nements. At a
    more technical level, the Cyber Security
    Framework developed by the National
    Institute of Standards and Technologies
    (NIST) is a useful model.
    � develop an independent and adequate
    budget for the cyber risk management
    One mechanism to implement the frame-
    work is to create a “cybersecurity balance
    sheet” that identifi es, at a high level, the
    company’s cyber assets and liabilities and
    can provide a scorecard for thinking through
    management progress in implementing the
    security system. The balance sheet may
    begin with identifying the organization’s
    “crown jewels.” This is an important exer-
    cise because it is simply not cost effi cient to
    protect all data at the maximum level.
    However, the organization’s most valued
    data must be identifi ed (e.g., IP, patient data,
    credit card data). Other corporate data can
    be similarly categorized as to its relative
    security needs.
    The next step is to discuss the strategy for
    securing data at each level. This strategy
    generally involves a consideration of people,
    process, and technology.
    At the technology process levels there are
    a range of options available with good
    research indicating cost-effective methods to
    secure lower-level data and thus reserving
    deployment of more sophisticated, and
    hence costly, measures to be reserved for the
    higher valued data.

    ■ 70 SecurityRoundtable.org
    that a particular third-party vendor is ideal
    for a new product. The CISO may determine
    that this vendor does not have adequate
    security. Marketing may, nevertheless,
    decide it is worth the risk to fulfi ll the busi-
    ness plan and presumably senior manage-
    ment may support marketing, but condition
    approval on the ability to transfer some of
    this additional risk with the purchase of
    additional insurance.
    This is an example of the process pro-
    ceeding appropriately, wherein cyber risk
    is integrated into business decisions con-
    sistent and managed on the front end con-
    sistent with the organization’s business
    If an organization follows these princi-
    ples, it should be well on its way to estab-
    lishing a sustainably secure cyber risk man-
    agement system.

    71 ■
    Stroz Friedberg LLC — Erin Nealy Cox,
    Executive Managing Director
    Establishing a board-level
    cybersecurity review blueprint
    Over the last two years cybersecurity has leaped to the top
    of the boardroom agenda. If you’re like most board mem-
    bers, though, you haven’t had enough time to fi gure out
    how to think about cybersecurity as part of your fi duciary
    responsibility, and you’re not quite certain yet what ques-
    tions to ask of management. You may even harbor a secret
    hope that, like many technology-related issues,
    cyberthreats will soon be rendered obsolete by relentless
    Don’t count on it. Cybersecurity is taking its place
    among the catalog of enterprise risks that demand board-
    room attention for the long term. It comes along with the
    digital transformation that is sweeping through virtually
    all industries in the global economy. As businesses “digi-
    tize” all aspects of their operations, from customer inter-
    actions to partner relationships in their supply chains,
    entire corporations become electronically exposed—and
    vulnerable to cyberattack.
    Cybersecurity risk is not new. However, in the last two
    years multiple high-profi le attacks have hit brands we all
    trusted with our personal information, making for big
    headlines in the media and signifi cant reputational and
    fi nancial damage for many of the victimized companies.
    What’s more, corporate heads have rolled: CIOs and even
    CEOs have departed as a direct result of breaches. The
    ripple effect continues. Cybersecurity legislation is a per-
    ennial agenda item for governments and regulators
    around the world, and shareholder derivative lawsuits
    have struck the boards of companies hit by high-profi le
    Although directors have added cybersecurity enter-
    prise risk to their agendas, there is no standard way for
    boards to think about cybersecurity, much less time-tested
    guidelines to help them navigate the issue. This chapter’s
    goal is to help directors evolve their mindsets for thinking

    ■ 72
    expressed through the following three high-
    level questions:
    1. Has your organization appropriately
    assessed all its cybersecurity-related
    risks? What reasonable steps have you
    taken to evaluate those risks?
    2. Have you appropriately prioritized your
    cybersecurity risks, from most critical to
    noncritical? Are these priorities properly
    aligned with corporate strategy, other
    business requirements, and a customized
    assessment of your organization’s cyber
    3. What actions are you taking to mitigate
    cybersecurity risks? Do you have a regularly
    tested, resilience-inspired incident response
    plan with which to address cyberthreats?
    Naturally, these questions are proxies for the
    industry-specifi c and/or situation-specifi c
    questions particular to each organization
    that will result in that organization’s most
    productive cybersecurity review. The key to
    formulating the relevant questions for your
    organization is to fi nd the right balance
    between asking enough to achieve the assur-
    ance appropriate to board oversight, but not
    so much that management ends up spinning
    wheels unnecessarily.
    The rest of this chapter is a guide to fram-
    ing board-level cybersecurity review issues
    for your organization by exploring meaning-
    ful ways to apply these high-level questions
    in a variety of circumstances and industries.
    The next step is yours, or your board’s: use
    this blueprint to drive cybersecurity enter-
    prise risk discussions with management,
    critical stakeholders, and external experts.
    Doing so will help achieve cyber resilience
    for your organization.
    ■ The board’s cyber resilience blueprint
    Boards are very comfortable managing fi nan-
    cial issues and risks. They have audit
    committees, they have compensation com-
    mittees, their members include former CFOs
    (to populate those committees), and they
    have plenty of experience reviewing fi nancial
    about the enterprise risk associated with
    cybersecurity and provide a simple blue-
    print to help directors incorporate cyberse-
    curity into the board’s overall enterprise risk
    ■ Establishing the right blueprint for
    boardroom cybersecurity review
    For boards, cybersecurity is an issue of enter-
    prise risk. As with all enterprise risks, the
    key focus is mitigation, not prevention. This
    universally understood enterprise risk
    guideline is especially helpful in the context
    of cybersecurity because no one can prevent all
    cyber breaches. Every company is a target, and
    a suffi ciently motivated and well-resourced
    adversary can and will get into a company’s
    Consequently, terms like “cyber defense”
    are insuffi cient descriptors of an effective
    posture because they evoke the image that
    corporations can establish an invincible
    perimeter around their networks to prevent
    access by bad actors. Today, it’s more accu-
    rate to think of the board-level cybersecurity
    review goal as “cyber resilience.” The idea
    behind the cyber resilience mindset is that,
    because you know network breaches will
    happen, it is more important to focus on
    preparing to meet cyberthreats as rapidly as
    possible and on mitigating the associated
    Also important to a board member ’s
    cybersecurity mindset is to be free from fear
    of the technology. Remember, the issue is
    enterprise risk—not technical solutions. Just
    as you need not understand internal com-
    bustion engine technology to write rules for
    safe driving, you need not be excluded from
    the cybersecurity risk discussion based on
    lack of technology acumen. Although this is
    liberating, in a sense, there is also a price:
    directors cannot deny their fi duciary respon-
    sibility to oversee cybersecurity risk based
    on lack of technology acumen.
    Given a focus on enterprise risk (not tech-
    nology) and risk mitigation (not attack
    prevention), the correct blueprint for cyber-
    security review at the board level can best be

    73 ■
    review process, and that these discussions
    take place regularly—preferably at every
    meeting of the board.
    A committee responsible for studying
    cybersecurity risk can cover both of these
    aspects of participation. With such a
    committee, someone on the board (i.e., the
    committee chair) becomes the stakeholder
    charged with becoming educated about cyber-
    security risk and educating the broader group.
    Although the board will never need to know
    how to confi gure a fi rewall, there is much to
    learn about the nature of cybersecurity risks,
    their potential impacts on your organization,
    and successful mitigation approaches. It may
    also be appropriate to appoint a director with
    cybersecurity expertise for this purpose.
    Establishing such a committee also fulfi lls
    the goal of consistent cybersecurity discus-
    sion. The chair can give a report, arrange for
    reports from the CIO or CISO, or facilitate
    talks by outside experts on issues around
    which additional subject matter expertise
    proves useful. Threat intelligence is an exam-
    ple of an excellent topic for an outside expert
    because it’s not a specialty most organiza-
    tions have in house or that can be justifi ably
    developed. A person or organization steeped
    in analyzing the tools, approaches, and
    behaviors of threat actors can look at your
    organization’s profi le and provide custom-
    ized insight that accelerates the board’s
    cybersecurity education.
    To empower all directors to engage in
    cybersecurity review, board-level discus-
    sions should address issues in the enterprise
    risk language with which boards are already
    familiar. One requisite, therefore, is that
    boards not stand for technical jargon. Even
    reports from the CIO should be delivered in
    plain language free of specialized terms.
    statements and analyzing profi t and loss. The
    knowns are known and the unknowns are
    few, if any.
    It is useful to juxtapose this stable, com-
    fortable picture with the state of board-level
    cybersecurity discussion—that is, you may
    not yet be certain what questions to ask, or
    know what to expect from management’s
    responses. To help accelerate you toward the
    same level of stability and comfort you have
    managing fi nancial issues, the following
    board-level cybersecurity review blueprint is
    organized into six areas:
    1. Inclusive board-level discussion:
    empowering all directors to be accountable
    for cybersecurity
    2. Proactive cyber risk management:
    incorporating cybersecurity into all early
    stage business decisions
    3. Risk-oriented prioritization: differentiating
    assets for varying levels of cyber protection
    4. Investment in human defenses: ensuring
    the organization’s cybersecurity investment
    goes beyond technical to include awareness,
    education, and training programs for
    5. Assessments of third-party relationships:
    limiting cyber exposure through business
    6. Incident response policies and
    procedures: mitigating potential risks
    when breaches occur.
    1. Inclusive board-level discussion
    Given the rapidly growing threat posed by
    cybercrime and the potentially devastating
    consequences of a major breach, it is critical
    that every director have enough of an under-
    standing of cyber risk to be able to take an
    active part in the board’s cybersecurity
    Active inclusion, in sum:
    � Establish a cybersecurity risk committee, or add the subject to an existing enterprise
    risk committee.
    � Discuss cybersecurity risk at every board meeting.
    � Empower all directors to become educated and comfortable discussing cybersecurity risk.

    ■ 74
    cybersecurity analysis of the target to their
    diligence process; protecting their M&A
    process from cyber breaches; and potential
    cyber exposure resulting from post-deal
    In both of these examples, it should be
    clear how challenging it would be to address
    cybersecurity concerns after the initiative
    gets underway.
    3. Risk-based prioritization
    Everyone’s resources are limited. Because
    there are an infi nite number of cybersecurity
    measures in which a company can invest,
    the trick is to prioritize such measures based
    on a customized assessment of the most seri-
    ous threats facing your organization. Such
    assessments should be approached along
    two primary dimensions: your organiza-
    tion’s most valuable assets and its greatest
    cyber vulnerabilities.
    Often, your most critical assets are obvi-
    ous: payment card data for a retailer, the
    script of an upcoming franchise sequel for
    a movie studio, the source code at the
    heart of a software company’s bestselling
    product. Every board’s cybersecurity
    review must ask management what meas-
    ures are being taken to protect a compa-
    ny’s most critical assets, beginning with
    development and on through production
    and distribution. Beyond the most critical
    are other assets that require differentiated
    gradations of protection. Identifying and
    prioritizing those assets is an information
    governance challenge, so the board also
    has to understand the organization’s infor-
    mation governance policy and have a
    sense for the quality of its execution. Has
    the company identifi ed what are sensitive
    2. Proactive cyber risk management
    It is important to incorporate discussion of
    cybersecurity risk in all business decisions,
    from the beginning, because it is much
    harder and far less effective to consider
    cybersecurity after the fact. Whether a deci-
    sion has to do with corporate strategy, new
    product launches, facilities, customer inter-
    action, M&A, legal or fi nancial issues, man-
    agement should always proactively consider
    cybersecurity risk.
    As an example, take the white-hot omni-
    channel marketing trend, which has retailers
    using mobile technology to collect data from
    their customers, and then exploiting that
    knowledge to better target marketing and
    promotions—sometimes, at the moment a
    customer walks into the store. Obviously,
    such retailers are gathering more informa-
    tion about their customers than ever before.
    How will they protect it? Do the mobile
    applications that make these approaches
    possible expose their organizations to new
    vulnerabilities? No matter how exciting the
    revenue-driving opportunity, these are ques-
    tions that retail boards should be asking
    management as part of the decision to pur-
    sue such initiatives. Management should
    respond with some variation of, “Our soft-
    ware vendor says their security is `X, and in
    addition, we’re doing our own testing to see
    how vulnerable the software may be before
    we introduce it to our customers.”
    Boards should extrapolate the thinking in
    the above example to all aspects of their
    business decision-making. To apply proac-
    tive thinking to cyber strategy, consider
    growth through M&A. Boards should think
    through M&A cybersecurity risks in multi-
    ple dimensions. To name three: adding
    Proactive cyber risk management, in sum:
    � Think about potential cybersecurity risk from the outset of all business initiatives from
    corporate strategy to new types of customer interaction.
    � Think particularly about new kinds of risk associated with emerging digital business

    75 ■
    awareness. Furthermore, investments in
    human defenses should be aligned to the
    insights from customized threat intelli-
    gence so they are focused on the ‘most
    valuable/most vulnerable’ prioritization
    discussed in the previous section.
    When looking at cybersecurity invest-
    ment, board reviews should include classic
    IT spending on systems that authenticate
    user identity and manage access, as well as
    compliance with applicable laws and regula-
    tions. However, that’s just the baseline.
    Boards need to think further, to issues such as
    the following:
    How well does our IT knowledge/expertise
    align with the kind of challenges suggested by
    our threat intelligence reports?
    Are we appropriately augmenting our inter-
    nal staff with outside expertise?
    Should we hire “white hat” hackers to attack
    our networks in search of gaps?
    Should we test our employees’ anti-phishing
    No matter how well your security technol-
    ogy works, hackers can always go after the
    weakest link—humans—through a combi-
    nation of tactics known as social engineer-
    ing and spear phishing. The only defense
    against these phenomena is enterprise-
    wide education. Ongoing education and
    awareness programs, such as spear phish-
    ing training, should be part of the cyberse-
    curity investment. Boards should ask
    about, support, and ensure these programs
    are aligned with business requirements.
    data and where they are being held? What
    data are not sensitive and where are they
    being held? Are your retention policies
    ensuring you keep the information that is
    important and throw away everything
    else? We’ve all read headlines about
    breaches that could have been less sensa-
    tional if the victims had better retention
    The second dimension—your compa-
    ny’s cyber vulnerabilities—is where cus-
    tomized threat intelligence plays a role.
    Analyzing your network for weaknesses,
    learning where sensitive information is
    stored and how it is protected, and assess-
    ing your environment: the competitiveness
    of your industry (e.g., how valuable your
    intellectual property is to others) and the
    way information fl ows in concert with
    business processes (e.g. whether or how
    you store sensitive information about con-
    sumers or clients, what countries you do
    business in, and what that implies for your
    The board’s cybersecurity review should
    include discussion of both dimensions, and
    the issues should be discussed often—these
    risks are not static. They can vary signifi –
    cantly over time and depend on evolving
    Internet connectivity and infrastructure
    4. Investment in human defenses
    Cyber defense and cyber resilience are as
    much human matters as they are matters
    of products and technology confi gura-
    tions. Although security technologies for
    protection and response are indeed neces-
    sary, boards should also ask about enter-
    prise-wide cybersecurity education and
    Risk-based prioritization, in sum:
    � Optimize limited resources by prioritizing along two dimensions: what’s most valuable
    and what’s most vulnerable.
    � Ensure the quality of policies and practices around the organization’s approach to
    information governance so that all assets are protected appropriately.

    ■ 76
    5. Assessments of third-party relationships
    Those of us paying close attention to the
    stories behind 2014’s cyber breach headlines
    know that in many cases the so-called “attack
    vectors” came through third-party relation-
    ships. Bad actors breached a business part-
    ner (that likely had weaker security than the
    intended target) and then used that part-
    ner’s access credentials to break into the tar-
    get company.
    But this is only one way in which third-
    party relationships create security vulnera-
    bilities. As business collaboration surges, for
    example, the amount of confi dential, trade
    secret, and intellectual property information
    that is being shared among employees of
    business partners skyrockets. This electronic
    fl ow of mission critical information, often
    across the open Internet, creates an environ-
    ment ready-made for economic espionage. It
    used to be such cases were a particular thorn
    in the side of only a few sectors, such as
    defense, energy, and technology. Today, all
    kinds of industries are targeted.
    A board’s cybersecurity review should
    include an understanding of how the organ-
    ization conducts cyber due diligence on
    third parties. Boards need a clear under-
    standing of the third parties their organiza-
    tions do business with and must prioritize
    those relationships in terms of high, medi-
    um, and low risk. Once a partner is identi-
    fi ed as high risk (e.g., they have access to
    your corporate network), that partner’s own
    security posture must be understood. How
    much visibility does your organization have
    into your vendors’ security policies and
    practices? Do they respond to your security
    questionnaires? Do you have the right to
    conduct on-site validations/audits?
    Boards also should require IT involve-
    ment early in the development of new
    business partner relationships. That way,
    information access can be better tuned to
    the business requirements of the partner-
    ship. An HR vendor, for example, may
    need access to your employee data, but that
    access may not need to be around the clock.
    Perhaps it can be controlled and limited to
    certain times of the month and/or hours of
    the day to limit risk exposure and enable
    fi nely tuned security monitoring.
    6. Incident response policies and procedures
    Armed with the knowledge that perfect secu-
    rity isn’t achievable and breaches are there-
    fore inevitable, boards must ensure their
    organizations have well-honed policies for
    cyber incident response, and must test these
    plans with regular simulation exercises.
    Good incident response plans defi ne the
    roles and responsibilities of the response
    team (including crisis communications,
    human resources, legal, IT, etc.) and estab-
    lish clear initial action items, including noti-
    fi cations to internal and external resources
    who will lead an investigation or manage
    communications. Remember, preparing for
    the worst is not an admission of a weak or
    vulnerable network. On the other hand, a
    delayed, bumbling response to a security
    breach is what often leads to increased data
    loss, exposure to regulatory action, and
    reputational damage.
    Assessments of third-party relationships, in sum:
    Review all business partner relationships for potential cybersecurity vulnerabilities.
    Empower IT’s involvement earlier in the development of business relationships.
    Human investment, in sum:
    Supplement appropriate investment in information security products with continuous
    enterprise-wide cybersecurity awareness, education, and training programs.

    77 ■
    our risk in a way that is consistent with most
    likely attacks?
    ■ Conclusion: No surprises!
    No one likes unpleasant surprises, least of all
    corporate boards. The goal of a board’s
    cybersecurity review is to avoid being unpre-
    pared for a cyber incident. Unfortunately,
    experience so far suggests that the only com-
    panies with truly top-grade, board-level
    cybersecurity plans are those that have expe-
    rienced an unpleasant surprise in the form of
    a bad breach. They felt the pain once and
    don’t ever want to go through it again.
    If you follow the board-level cybersecu-
    rity review thinking and principles dis-
    cussed in this chapter, and partner with
    external experts that bring domain-specifi c
    knowledge and skills you may not have in-
    house, you can avoid surprises and be pre-
    pared to meet risk head on. The review
    approach described in this chapter will
    enable you to lead your organization’s shift
    from a paradigm of discomfort and uncer-
    tainty in the cybersecurity risk realm to one
    of assurance and comprehensive answers,
    facilitated by the board’s regular cyber risk
    discussions; from simple perimeter protec-
    tion to around-the-clock monitoring and
    universally understood incident response;
    from lack of cyber risk awareness to enter-
    prise-wide awareness led by top-down
    C-suite messaging and incentivized
    employee behavior.
    The blueprint presented in this chapter
    can help ensure you truly have your eye on
    the cyber risk ball. Obviously, that doesn’t
    mean your company won’t be breached.
    But if—or when—you are, you will be able
    to handle the event with clear-eyed confi –
    dence that the risks have been properly
    Two key thoughts boards should keep in
    mind when reviewing incident response
    plans were noted previously, albeit in a dif-
    ferent context. First, it is critical to engage the
    entire enterprise in your incident response
    plan. IT security professionals can only do so
    much if an employee clicks on a spear phish-
    er’s link, creating a hole in your network.
    Employees can be educated to avoid those
    clicks and incented to be fi rst responders—or,
    at least, to notice these attempts to breach
    your company’s defenses. Employees are on
    the front lines of cybersecurity; prompt notice
    of a breach from an alert employee can often
    signifi cantly mitigate damage. Second, your
    organization’s cybersecurity risk environ-
    ment is a dynamic, ever-changing thing. Your
    incident response plan must be kept up to
    date and rehearsed continually, taking evolv-
    ing threat intelligence into account.
    Appropriate board-level review questions
    include the following:
    What are the organization’s policies and pro-
    cedures to rapidly identify breaches?
    How are all employees empowered to monitor
    and report/respond?
    How are we triaging/escalating once an inci-
    dent is detected?
    How is incident response integrated into IT
    What are we doing to align our cyber respons-
    es to business requirements and to ensure that
    all parts of the business understand their roles
    in the response plan?
    How does our response plan match up with
    our threat intelligence? Are we characterizing
    Incident response, in sum:
    � Because breaches will happen, board review must ensure fi rst-class incident response.
    � All enterprise employees should be part of the incident response plan.
    � Incident response must continually evolve—because threats do.

    ■ 78 SecurityRoundtable.org
    Inclusive Board-Level Discussion
    CYBER REVIEW blueprint
    Proactive Cyber Risk Management
    Risk-Oriented Prioritization
    Investment in Human Defenses
    Assessment of Third-Party
    Incident Response Policies
    and Procedures

    79 ■
    Dell SecureWorks – Mike Cote, CEO
    Demystifying cybersecurity
    strategy and reporting: How
    boards can test assumptions
    Cybersecurity is one of those issues that justify the state-
    ment, “It’s what you don’t know that can hurt you.”
    Although board engagement in cybersecurity risk is on
    the rise, corporate directors continue to struggle with the
    complexity of the subject matter, making it more diffi cult
    for them to assess whether the company’s strategy is
    effective. As one public company director recently stated,
    “I understand the magnitude of the risk, and I know we
    have signifi cant resources decked against it, but as a
    board member how will I know if management has the
    right measures in place to keep us from being the next
    story in the news?”
    This chapter does not explain how to eliminate the risk
    of a data breach. In fact, one requirement for being resil-
    ient against cyberthreats is to accept that breaches will
    happen. Nor does this chapter strive to make an expert of
    the reader. After all, the board’s job is to provide reason-
    able oversight of the risk, not manage it.
    What this chapter does do is provide boards with a
    framework of inquiry—elements of a mature security
    strategy in plain language—to help directors have discus-
    sions with management about the company’s overall
    resilience against the threats. By understanding these
    concepts, directors will have a better context for testing
    assumptions when management reports on metrics such
    as the effectiveness of breach prevention, breach frequen-
    cy, and response time.
    ■ Background: Who is behind hacking, and why do
    they do it?
    Before delving into the right strategy for cybersecurity, it
    is helpful for boards to fi rst understand the nature of the
    threat. Hacking has become a burgeoning global industry
    that generates billions of dollars in illicit trade annually.
    It’s fueled by a strong reseller’s market in which hackers
    sell stolen data to others who possess the desire but not

    ■ 80
    ■ Elements of a mature security strategy . . . in
    plain language
    1. Determine what needs protecting and who
    holds the keys.
    Companies begin their journey to resiliency
    by identifying and prioritizing the assets they
    must protect. What do cyber criminals want
    that they can get from us and why? Do
    employees handle intellectual property that
    could make or break us competitively? Do
    we collect personally identifi able informa-
    tion that cyber criminals could sell to iden-
    tity thieves? Do we store customer account
    information? How would someone take
    command and control of our infrastructure
    or systems?
    It is equally important to know where
    those coveted assets are located. Many
    boards are surprised to learn that the infor-
    mation security team is fending off hackers
    across the entire enterprise, even outside it:
    for example, in a supplier’s network, on a
    home computer, or on an employee’s iPad,
    where he or she just reviewed a proprietary
    schematic. Hackers are capable of scanning
    for vulnerabilities wherever someone con-
    nects to the Internet, and business leaders
    must operate under the assumption that
    even they are a target.
    As with sensitive fi nancial information,
    only those who need access to the assets
    should have it, and policies should be in place
    to ensure stringent controls. Administrator
    passwords are gold to cybercriminals, and
    increasing the number of people with access
    to them effectively multiplies the ways that
    hackers can attack.
    2. Prevention is not an endgame.
    It’s tempting to think that we can eliminate
    breaches if we just put more effort into pre-
    vention at the front end, but information
    security professionals know that eliminating
    the possibility of a breach is an unrealistic
    goal in today’s environment. Preventative
    tools such as fi rewalls play an essential role
    because they provide the fi rst layer of
    defense: they ‘recognize’ and stop the threats
    the tools to harvest valuable intellectual
    property. It’s funded by organized crime and
    actors within nation-states that not only
    operate beyond any jurisdiction but also
    have access to billions of dollars of capital to
    invest in these criminal operations.
    The robust cyber black market offers sto-
    len goods—from credit cards to personal
    identities—in large quantities at reasonable
    cost. Sellers also offer money-back guaran-
    tees on the quality of their goods. Buyers can
    obtain tutorials for hacking or for using sto-
    len data, and they can even hire subcontrac-
    tors to do the dirty work.
    It’s not always about the money. From
    attacks based on sectarian hate between
    nation-states to sabotage from a bitter, laid-
    off employee, motivations for hacking run
    deep and wide. Anger about environmental
    policies and resentment against the excesses
    of Wall Street are among other examples.
    Whatever their reasons, hackers are focused
    on stealing, disrupting, or destroying data
    every moment of every day. There are thou-
    sands of cyber criminals around the globe.
    They work around the clock, for free or for
    hire, on speculation or with a known pur-
    pose, trying to invent new ways to steal or
    harm a company. They have the funding and
    technology to be not only persistent but also
    highly adaptable, and the barrier to replicat-
    ing their cyber weapons is low in contrast to
    the physical world. They have the luxury of
    always being anonymous, always on offense,
    and seldom prosecuted.
    Companies, on the other hand, are highly
    visible, and by virtue of being connected to
    the Internet must operate in an environment
    where being attacked by hackers is the
    norm. Companies must prevent, detect,
    defend against, and take on the threat with-
    out the luxury of knowing when they’ll be
    attacked, by whom, or on what front.
    A mature cybersecurity strategy prepares
    for and responds to this challenging envi-
    ronment. Breaking that strategy down into
    its core elements provides boards with a use-
    ful framework for discussing risk assump-
    tions with the chief information security
    offi cer.

    81 ■
    4. Stay a step ahead: The future won’t look like
    the past.
    To stay one step ahead of the threat, an infor-
    mation security program should also be able
    to predict what the adversary will do next.
    To make fi nancial predictions, business lead-
    ers apply internal and environmental intel-
    ligence to test assumptions. In the case of
    cybersecurity, security teams should apply
    “threat intelligence,” which tells them the
    intent and capabilities of current, real-world
    hackers who may want to harm them.
    Gathered from a company’s own environ-
    ment and often supplemented with much
    broader environmental intelligence from a
    third party, threat intelligence can be applied
    to cybersecurity technologies and human
    procedures. As a result, the enterprise is able
    to anticipate the nature of forthcoming
    attacks and more effectively allocate limited
    resources to stop them.
    Companies with the ability to predict can
    also defend earlier with less effort and recov-
    er faster when a breach occurs. When boards
    and management discuss metrics like breach
    frequency, response time, and potential
    impact, it’s helpful to know if the security
    team is applying threat intelligence to help
    them make their assumptions.
    5. Educate and train vigilant employees.
    One of the most important defenses against
    cyberattack is an informed, vigilant employ-
    ee population. Employees and executives are
    often targeted with carefully crafted emails
    designed to be relevant to the employee’s
    personal or work life. In reality, these phish-
    ing emails are often loaded with malicious
    code. One click by a less careful individual
    can deploy a cyber weapon into the compa-
    ny’s network and execute various actions
    that shut down critical business functions or
    steal information and accounts. Similar tac-
    tics may be used over the phone to get
    employees to divulge confi dential informa-
    tion such as client lists, which can then be
    paired with other stolen data to complete a
    set of stolen identities.
    we already know about. As we already
    established, however, hackers are highly
    adaptive. No one piece of technology can
    provide a complete defense. A good security
    program assumes that at some point preven-
    tion will fail and the business will have to
    deal with threats in its network.
    Detection then becomes the focus.
    Companies need the right technology, pro-
    cesses, programs, and staff to help them
    detect what has happened so that they can
    fi nd the threat and respond more quickly
    to contain and eradicate it. The question is
    not if the hackers will get in but when.
    Board members may test this assumption
    by asking their security team, “Do we
    know if hackers are inside our defenses
    right now? How do we know when they
    get in?”
    3. You can’t defend with your eyes closed.
    No one wants to be blindsided. If a compa-
    ny’s security team can’t “see” what is hap-
    pening on the network and across all of the
    endpoints such as work stations, point-of-
    sale terminals, and mobile devices, then the
    company will have little chance to detect or
    respond quickly to an attack when preven-
    tion fails. Visibility across the enterprise is an
    essential attribute of the cybersecurity strat-
    egy because it helps companies respond to
    unusual activity more quickly, reducing
    down time and related costs.
    Business leaders should know that hav-
    ing visibility means collecting large amounts
    of data from all of those places. Unfortunately
    those data are useless if the security team
    doesn’t have the bandwidth to analyze and
    act on it. The information security industry
    has responded to this problem, and services
    are available to manage the data, do the
    heavy lifting, and sort out what is actionable.
    The actionable data can then be fed back to
    the information security team to more effi –
    ciently zero in on the threats that need their
    immediate attention. Boards may ask if their
    security team is managing all the data itself,
    and, if so, does it still have the bandwidth to
    focus on the actual threats.

    ■ 82
    7. Measure effectiveness, not compliance.
    It is impossible for a company to know how
    effective its security program is against real-
    world attackers unless it conducts real-world
    exercises to test its defenses. Compliance
    frameworks can improve rigor in many
    areas of cybersecurity, but it is folly to
    assume that following a compliance man-
    date (or even passing a compliance inspec-
    tion) is commensurate with resilience. No
    matter how well architected a security pro-
    gram is against recommended standards, no
    two companies’ environments are alike.
    That’s why it is so important to battle-test
    one’s own environment. Network security
    testing emulates actual hackers using real-
    life tactics such as phishing to validate how
    well defenses work against simulated
    attacks. By learning how hackers penetrate
    security defenses, companies can determine
    actual risk and resource cybersecurity opera-
    tions accordingly. Testing also helps compa-
    nies meet compliance mandates. Compliance
    should be a by-product of an effective secu-
    rity program, not the other way around.
    8. Emphasize process as much as technology.
    Technology is only half the solution to mak-
    ing a company resilient. Breaches can occur
    as the result of human and process errors
    throughout the enterprise. Take the example
    of recent high-profi le cases in which weak-
    nesses in a supply chain or a business part-
    ner’s security allowed hackers to access the
    parent company’s network and do signifi –
    cant damage. Leading practice today is for
    companies to insist, by contract, that their
    business partners meet the same security
    However, what if a business line leader
    fails to insist on contract requirements in the
    interest of going to market quickly? What
    happens when business enablement trumps
    security in the far reaches of the business,
    where people think, “No harm done”?
    Adequate checks and balances should be in
    place to ensure that IT security and business
    procedures are being executed, and policies
    The bottom line is that human behavior
    is equally as important as security tech-
    nologies in defending against the threat.
    Boards should know whether employee
    awareness and training programs are in
    place and how effective they are. The best
    programs will simulate how hackers may
    trick an employee and provide on-the-spot
    training if the employee falls victim. An
    open dialog in these cases helps employees
    and the organization as a whole learn from
    mistakes. It also builds a culture of security
    6. Organize information security teams for
    Defending and responding effectively
    against cyber adversaries also depends on
    manpower and expertise. Technologies
    cannot be used to full advantage without
    highly skilled people to correlate, analyze,
    prioritize, and turn the data into actiona-
    ble intelligence that can be used to increase
    resilience. A properly organized and
    staffed security team needs people with
    many different types of expertise and
    skills. It requires people to deploy the
    technologies, understand what the threats
    are, determine what hackers are doing, fix
    system and software vulnerabilities, and
    counter active threats. Although these
    professional capabilities are interdepend-
    ent, they are not all interchangeable,
    requiring different training and certifica-
    tions. Information security leaders also
    need the management skills to put the
    right governance processes and proce-
    dures in place, advocate for security
    requirements, and communicate risk to
    senior management.
    Boards are encouraged to inquire as to
    whether the security team has the band-
    width and manpower to be able to respond
    and remediate a crisis, as well as to handle
    day-to-day operations. Security teams
    should be organized to focus on what mat-
    ters most—immediate threats—and other
    resources should be considered where there
    are gaps.

    SecurityRoundtable.org 83 ■
    element of cybersecurity, but it is a by-product
    of a good program, not the measure of effec-
    tiveness. Nor is it a guarantee of security, as
    illustrated by many recent high-profi le
    breaches in which companies had already
    met the requirements for one compliance
    mandate or another.
    Diffi cult decisions about funding can be
    made more easily by discussing how exist-
    ing resources are allocated. Many business
    leaders fear that “we’ll never spend enough,”
    but experience shows that a pragmatic
    approach to funding the security program is
    to focus on effectiveness and prioritization:
    � Determine actual vulnerabilities by
    regularly testing defenses.
    � Detect the perpetrators more quickly by
    increasing visibility.
    � Predict and mitigate risks more quickly and
    effi ciently by applying threat intelligence.
    � Apply time, attention, and funding
    Companies may also want to consider third-
    party providers to monitor, correlate, and
    analyze the massive quantity of data that a
    mature security program generates. This
    allows valuable, and sometimes scarce,
    human resources to focus on the actual
    threats. A reputable third party can also pro-
    vide the testing that determines effectiveness
    and be a helpful validator of the program.
    Armed with an understanding of what a
    mature security program looks like and how
    it plays out across the entire enterprise,
    boards will be better equipped to discuss the
    company’s current strategy and inquire
    about assumptions in the metrics.
    should hold relevant business leaders and
    employees accountable for implementation.
    How do you know when procedure isn’t fol-
    lowed? Real world testing confi rms not only
    the effectiveness of your defenses but also
    the process, policies, and procedures that
    keep those defenses in place, operational
    and optimized for resilience.
    ■ Summary: A framework for oversight
    By the very nature of being connected to
    the Internet, companies are targeted 24/7,
    365 days a year by anonymous, sophisti-
    cated hackers who strive to steal from or
    harm the business and its employees. That
    ongoing challenge is taking place across
    the entire enterprise, not just on the net-
    work, so it’s important to remember that
    we all play a role in managing the risk:
    employees, business partners, and even
    board members. There is no silver bullet
    piece of technology that will eliminate all
    danger, and being resilient is just as
    dependent on people and process as it is on
    technology. A cybersecurity ‘win’ in this
    environment is defi ned as how effectively
    and effi ciently the company fi nds and
    removes threats from its environment and
    whether it remains fully operational in the
    Cybersecurity risk is an enterprise risk,
    not a function of IT. For boards to provide
    reasonable oversight they’ll have to under-
    stand what the company is protecting,
    inquire about how well the company is
    organized to defend those assets, and explore
    whether it has the manpower and capabili-
    ties to respond and remediate in the event
    of a breach. Compliance is an important

    Electronic version of this guide and additional content available at: SecurityRoundtable.org
    Cyber risk corporate

    87 ■
    Palo Alto Networks Inc. – Davis Hake,
    Director of Cybersecurity Strategy
    The CEO’s guide to driving better
    security by asking the right questions
    I recently met with a chief information offi cer (CIO)
    whose chief executive offi cer (CEO) had just taken a strik-
    ing and dramatic interest in cybersecurity. He had read an
    article in the paper about cyberthreats to major corpora-
    tions and wanted to know what his own company was
    doing to solve the specifi c problem described in the arti-
    cle. The CIO was incensed, because the question would
    inevitably force him to shift priorities for his already
    overworked team to an issue that had little to no effect on
    their actual security efforts. There is an old saying in the
    disaster response community that you shouldn’t exchange
    business cards during an emergency. In essence, you need
    to familiarize yourself with the risks and relevant people
    before an emergency so security teams are not blown in
    different directions depending on the new security scare
    of the day.
    Similarly, CEOs cannot familiarize themselves with
    cybersecurity narrowly through the lens of a single inci-
    dent that occurs on their network or with one of their
    competitors. The danger in responding to a singular event
    or threat in isolation—or daily incidents we read about in
    the press—is that this is a reactive approach rather than a
    holistic, risk-based approach. Cybersecurity is the poster
    child for this phenomenon. Executives know that there is
    a newfound focus on cybersecurity at the boardroom
    level—incidents like Target’s 2013 data breach have been
    a wake-up call for many—but there is often still a severe
    lack of understanding about the real risks behind the
    headlines. The statistics also back up the magnitude of
    these anecdotes.
    A recent New York Stock Exchange (NYSE) and
    Veracode survey looking at boardroom attention to cyber-
    security found 80 percent of participants said it is dis-
    cussed in most or every boardroom meeting. They noted
    specifi cally that “responsibility for attacks is being seen as

    ■ 88
    common problems such as a lack of invest-
    ment, absence of high-level strategy, and
    failure to integrate into business operations
    still plagued many organizations struggling
    to address cyberthreats. Seeing this tension
    in many of the organizations they were brief-
    ing on cyberthreats, the U.S. Department of
    Homeland Security worked with current
    and former executives to help capture fi ve
    simple questions that a CEO could ask his or
    her technical team, which would also drive
    better security practices. They are:
    1. What is the current level and business
    impact of cyber risks to our company?
    What is our plan to address identifi ed
    2. How is our executive leadership informed
    about the current level and business
    impact of cyber risks to our company?
    3. How does our cybersecurity program
    apply industry standards and best
    4. How many and what types of cyber
    incidents do we detect in a normal week?
    What is the threshold for notifying our
    executive leadership?
    5. How comprehensive is our cyber incident
    response plan? How often is the plan
    The team that coordinated the Cybersecurity
    Framework also provided key recommenda-
    tions to leadership, to align their cyber risk
    policies with these questions. First and fore-
    most, it is critical for CEOs to lead incor-
    poration of their cyber risks into existing risk
    management efforts. Forget the checklist
    approach; only you know the specifi c risk-
    reward balance for your business, so only
    you can understand what is most important
    to your company. It seems simple, but with
    cybersecurity, the default practice tends to
    be for organizations to silo considerations
    about risks into a separate category apart
    from thinking about their valuable assets.
    You have to start by identifying what is most
    critical to protect and work out from there.
    The process of aligning your core value with
    your top IT concerns is a journey and is not
    a broader business issue, signaling a shift
    AWAY from the chief information security
    offi cer (CISO) and the IT security team.”
    Where is this shift moving to? “When a
    breach does occur, boards are increasingly
    looking to the CEO and other members of
    the executive team to step up and take
    responsibility,” said the authors.
    Yet despite this shift in perceived respon-
    sibility to the executive level, there does not
    appear to be the same drive to connect tech-
    nical teams to the board-level focus on con-
    cerns about cybersecurity risk. A 2015
    Raytheon and Ponemon Institute study of
    those with the day-to-day technical respon-
    sibility for cybersecurity, CIOs, CISOs, and
    senior IT leaders, found that 66 percent of
    respondents believe senior leaders don’t
    perceive cybersecurity as a priority. What
    this means is that while CEOs are increas-
    ingly on the hook from their boards for being
    savvy about cyber risks, many are not yet
    engaging with the necessary parts of their
    organization to address cybersecurity issues.
    Our hope is that this guide can prime you
    to ask productive questions that drive better
    people, processes, and technological change
    to reduce the risk of successful breaches of
    your organization. As the CEO, it is your job
    to balance risk and reward within your com-
    pany. Cyberthreats are not magic, hackers
    are not wizards, and the risks to your spe-
    cifi c organization from a breach can be man-
    aged just like any other risks that you make
    decisions about every day. In fact, these risks
    can even be turned into opportunities for
    new innovation.
    But where to begin? You want to avoid
    causing unnecessary work, but you are
    required to participate, and often lead, the
    conversation around addressing cyber risks.
    When the U.S. Government began working
    with members of the IT and critical infra-
    structure industry on a Cybersecurity
    Framework for improving critical infrastruc-
    ture cybersecurity, a key point that arose was
    the need for nontechnical tools that could be
    used at an executive level. Technical best
    practices have existed in international stand-
    ards and government agencies for years, but

    89 ■
    not having a cybersecurity background, you
    will certainly be able to make valuable con-
    tributions about which cyber risks are
    acceptable. You will fi nd situations where
    the operational priorities that you are
    responsible for as CEO, outweigh cybersecu-
    rity risks. Your perspective on these matters
    is what makes you core to leading cyberse-
    curity efforts in your organization.
    Finally, as with any risk management
    effort, you must plan for the best but prepare
    for the worst. Cyberthreats are very real, and
    advanced hacking tools once available only
    to nation-states are regularly sold on the
    online black market. There are technical
    architectures that can prevent and limit
    damage done by cyberattacks (see Palo Alto
    Network’s other chapter, “Designing for
    breach prevention”), but no solution is ever
    100 percent. Developing an incident response
    plan that is coordinated across your enter-
    prise and regularly tested is vital for even
    the most well-defended organizations. Use
    your existing risk management practices and
    your leadership team to identify your most
    important assets; then plan for what would
    happen to your company if those assets were
    shut off or inaccessible for a sustained peri-
    od of time. Similar to fi re drills, regular prac-
    tice also helps you stay aware of cybersecu-
    rity’s constantly changing environment and
    shows a personal interest that will signal the
    issue’s importance throughout your compa-
    ny. There are also excellent chapters in this
    book to get you started in setting up an inci-
    dent response plan, and there are many
    good companies that specialize in the sticky
    problems of rebuilding your network when
    you need to call in the cavalry.
    While risk management is a strong
    approach to tackling the challenges of
    cybersecurity, the bottom line is that it will
    often require some investment in new peo-
    ple, processes, or technology. A common
    myth is that security must be a cost center
    for every organization. This view has plagued
    IT security experts for years, as their efforts
    are viewed as drains on resources that would
    otherwise be bringing in revenue. But as
    you start to lay out cybersecurity from a
    something that can be solved in one lump
    investment or board meeting. Just like any
    risk analysis, it requires serious considera-
    tion and thought about what is most impor-
    tant to your core business practices.
    Which brings me to the second recom-
    mendation to come out of the Cybersecurity
    Framework effort: don’t begin your journey
    alone! Bring your leadership team, especially
    your CIO, chief security offi cer (CSO), and
    CISO, into the conversation from the start, to
    help determine how your IT priorities match
    to your business goals. Building a diverse
    team that includes other leaders, such as
    your head of human resources, will help
    foster a culture that views cyberthreats not
    as “someone else’s problem” but as chal-
    lenges that should be addressed and dealt
    with as an entire organization. For example,
    cyber criminals still continue to successfully
    use fake emails as a primary method for
    gaining access to a company’s network.
    Stopping these attacks requires not just a
    technical solution but also strong training,
    which is often the responsibility of human
    resources and not your IT security team.
    As more signifi cant challenges arise, and
    they will do so often and unexpectedly, lean
    on your leadership team to evaluate prob-
    lems in relation to the impact to your other
    business risks. Then let your team address
    them based on your existing business goals.
    For example, if you experience a cyber
    breach or accidental disclosure of sensitive
    information, a diverse leadership team is
    incredibly helpful at not just responding to
    the technical problems but also ensuring
    other areas such as public image, legal
    ramifi cations, and revenue impact are taken
    into consideration in any mitigation and
    remediation efforts. It is your job to help
    frame the problem for your team and pro-
    vide oversight and guidance, not microman-
    age a crisis.
    As with normal business operations, you
    should also be asking your team to assist
    you in day-to-day requirements of your
    cybersecurity, such as reviewing IT budgets
    and personnel security policies. None of this
    is surprising, and you will fi nd that despite

    ■ 90 SecurityRoundtable.org
    know these as web-based email or online
    storage services. They are incredibly popular
    for their low cost, fl exibility, and availability
    across multiple platforms, but they also exist
    on servers outside your control and can pre-
    sent a huge risk from users accidentally
    making company resources available to
    external parties. There are now innovative
    solutions that can manage these programs
    just like any normal application that lives on
    your network and even block their use for
    only malicious purposes.
    True leadership in any issue doesn’t
    involve simply throwing more money at the
    problem; you must always balance the risks
    and rewards of your decisions and invest-
    ments into a coherent strategy. Cybersecurity
    is no different. Unfortunately, today’s reality
    is such that cyberthreats will remain an issue
    of fear for boardrooms in the foreseeable
    future, leading to default knee-jerk reactions
    as new threats evolve. Ultimately, we must
    get to a place where cybersecurity is a nor-
    mal part of any business’s operational plan.
    With cool-headed, rational leadership, you
    have the unique ability to help transform
    this issue in your company from a crisis to
    an opportunity for real innovation.
    risk management perspective, you will
    be forced to identify your most valuable
    assets, pressing vulnerabilities, and core
    motivations. This introspective approach
    can also drive new ideas applicable to your
    core business lines. It is imperative that
    you recognize these innovations and make
    the right investments to reap both the
    benefi ts of better security and new business
    For example, take a company that wants
    to enable its sales staff to securely meet with
    customers face to face away from the offi ce
    for consultations. Using mobile devices and
    phones to access internal company data,
    such as customer accounts, from the fi eld
    can open serious cyber risks. In this case you
    could ensure that when purchasing a mobile
    platform, you also choose a security vendor
    that can provide mobile device management
    capabilities. This allows your IT department
    to secure lost or stolen devices and limit
    malicious software that could be accidental-
    ly downloaded by employees (or often their
    kids), limiting cyber risks and enabling fl ex-
    ibility of your sales team.
    Another great example is the use of soft-
    ware as a service (SaaS) products. You may

    91 ■
    Coalfi re – Larry Jones, CEO and Rick
    Dakin, CEO (2001-2015)
    Establishing the structure,
    authority, and processes to
    create an effective program
    Cybersecurity program oversight is currently an unsettling
    process for many C-suites and boardrooms. Establishing
    structure, authority, and program oversight should be
    aligned to existing management processes and structure for
    other critical programs. However, cybersecurity programs
    remain unsettling. Why?
    Simply put, cybersecurity programs address a different
    type of risk. Typically, the risk that is being addressed
    includes sophisticated attacks that are intended to interrupt
    operations or steal sensitive data. In either case, organiza-
    tions fi nd themselves under attack. In the case of Sony, a
    nation-state attacked the company for the sole purpose of
    disrupting the distribution of media. In the case of
    JP Morgan Chase, a highly sophisticated adversary launched
    a denial of service attack against the service delivery plat-
    form to disrupt the fl ow of transactions. Both cases provide
    business justifi cation to manage cybersecurity initiatives as
    a bet-your-business type of risk management program.
    The connection between the boardroom and those
    managing the technical infrastructure is critical. However,
    no board or C-Suite has the skills or knowledge of the
    threat landscape or technologies involved in cybersecu-
    rity programs to fl atten the management structure for
    top to bottom direct management. Each level of the
    organization must participate in an integrated and col-
    laborative fashion. The structure and risk management
    responsibilities have been documented many times by
    well-respected cybersecurity organizations such as the
    National Institute of Standards and Technology (NIST) in
    a series of special publications. Coalfi re has specifi cally
    supported the local adoption and application of these
    general principles for the electric utility, fi nancial servic-
    es, health-care, and retail sectors. As a result, this chapter
    leverages the lessons learned from those previous engage-
    ments to provide a condensed but effective approach to

    ■ 92
    cyber risk management and cybersecurity
    program creation and oversight.
    First, the nature of the threat landscape is
    evolving, while the underlying technology
    platforms that hold sensitive data are also
    changing. In this fl uid environment, man-
    agement must create a nimble program of
    active cyber defenses informed by an itera-
    tive risk management process. For the fore-
    seeable future, cybersecurity program over-
    sight will not be one that can be reduced to
    an annual review process. When cyberat-
    tacks go undetected for months and then
    bring a company to its knees overnight, the
    level of vigilance and communication is
    heightened. To be effective, the structure has
    to be distributed throughout the organiza-
    tion, and risk thresholds have to be set that
    cause unplanned alerts to drive manage-
    ment action on a regularly scheduled review
    and ad hoc incident-response basis.
    Often the primary risks to cyber assets is a
    cyberattack. The sophistication and determi-
    nation of known threat actors drives the exec-
    utive team to put on war paint and respond in
    kind. Unlike other enterprise risks that can be
    managed with traditional controls, cybersecu-
    rity requires the mindset of a warrior. Think in
    terms of Sun Tzu’s guiding principles pub-
    lished in 473 BC, The Art of War: “we must
    know ourselves and our enemies and select a
    strategy to positively infl uence the outcome of
    battle. There is no reason to fear the attack but
    there is reason to be concerned about our
    readiness to defend ourselves from the attack
    and respond appropriately.”
    The most common approach for creating
    and maintaining an enterprise cybersecurity
    program follows a fi ve-step risk manage-
    ment process. The process is iterative and
    constantly informed by new information.
    I am often asked, “When will the cybersecu-
    rity program be completed?” Unfortunately,
    the answer is never. Cybersecurity has to be
    viewed as a process and not an end point,
    the proverbial marathon versus sprint.
    Each of the steps in the process requires
    participation at multiple levels across an
    1. Plan
    i. Cyber asset inventory and environment
    ii. Risk assessment and risk management
    iii. Governance and organization structure
    2. Protect
    i. Program control design, control
    selection, and implementation
    ii. Training
    iii. Maintenance
    3. Detect
    i. Threat and program effectiveness
    monitoring and reporting
    ii. Incident alerting and response
    4. Respond
    i. Event analysis and escalation
    ii. Containment, eradication, and recovery
    5. Adjust
    i. Lessons learned and program
    ii. Communications
    The rest of the chapter addresses each step of
    the cybersecurity program development
    process and highlights responsibilities for
    stakeholders throughout the organization.
    Cybersecurity Program

    93 ■
    many times that it is more realistic to expect
    that vendors have done little to inherently
    protect systems or data in the native design
    of their systems. In many cases, unless
    deployed appropriately, new cloud and
    mobile applications can actually decrease
    the level of cybersecurity already deployed
    on legacy systems. It is the responsibility of
    each executive to fully defi ne his or her
    operating environment and include critical
    third parties in the assessment.
    Although lack of cybersecurity integration
    by vendors is not universal, we’re seeing some
    enlightenment in a few security-focused ser-
    vice providers. However, it remains a serious
    concern for the majority of new system acqui-
    sition and support processes, and cybersecurity
    typically shifts to an add-on feature after pro-
    curement of a major new system in many
    cases. In short, the process of identifying criti-
    cal cyber assets and the systems that support
    those assets will remain a key part of the cyber-
    security program oversight function for the
    long term. The process of ‘knowing thyself’
    has been expanded to knowing your partners
    and vendors and where your sensitive data
    has been shared or managed by third parties.
    The following is a quick test:
    � What are your top 3 most important
    business processes, and what systems
    support those functions?
    � Does the way your CIO answers
    the previous question match your
    understanding of critical systems?
    Risk assessment and risk management strategy
    After a solid understanding of the battlefi eld
    is established and executives appreciate the
    critical cyber assets being protected, an
    assessment of risk to those cyber assets is
    critical to the design of the cybersecurity pro-
    gram. The ability to adjust the program to
    meet the evolving threat landscape and tech-
    nology architecture shifts is an important
    component of organizational security matu-
    rity. Responsibilities for conducting an effec-
    tive cyber risk assessment are distributed at
    three levels, as shown in Figure 2.
    ■ Plan
    Cyber asset inventory and environment characterization
    In accordance with the principles of Sun Tzu,
    “know thyself.” When cybersecurity pro-
    grams are managed at only a technical level,
    the focus of the program is at risk of being
    misdirected. Sensitive data hosted on an inex-
    pensive platform may bely the true value to
    the organization. Only senior executives and
    business unit managers understand the rela-
    tive importance of specifi c operations or data.
    Simple cybersecurity program designs
    often include some level of network and data
    segmentation, encryption, or levels of access.
    As a senior executive, one of the things you
    should be asking is if your most important
    systems and most sensitive data are properly
    deployed in the protected zones within your
    system architecture. However, the IT team will
    never know how to answer that question if
    senior management (specifi cally business unit
    management) does not specifi cally provide
    guidance on the relative importance of busi-
    ness functions and their associated systems.
    The new generation CIOs and CISOs
    understand this principle completely, and
    the best of them have structured the operat-
    ing environment and security programs to
    focus on the most important cyber assets.
    However, to assume all CIOs or CISOs
    understand this principle of critical asset
    classifi cation and environment characteriza-
    tion is dangerous, because many do not. The
    most important part of this discussion is,
    “Does every business unit manager under-
    stand what his or her most critical cyber
    assets are and where they are deployed?”
    Even if the CIO and CISO understand the
    relative priorities, senior executives cannot
    effectively participate in either cyber risk
    management or cybersecurity program over-
    sight without fi rst understanding the extent
    of the environment being protected.
    As a quick warning, many of my clients
    have the false expectation that cybersecurity
    has become a critical part of the design for
    new or more modern platforms being pur-
    chased from large vendors and hosting pro-
    viders. This expectation has proven false so

    ■ 94
    increasingly popular means of transferring
    risk but comes with the requirement that
    you understand risk in ways that may not
    have been previously considered. It is impor-
    tant that the business units and security staff
    are able to communicate the constraints as
    well as the risk mitigation alternatives for
    senior executives to make reasonable deci-
    sions on risk management strategies.
    Governance and organization structure
    The risk assessment management duties and
    responsibilities are typically allocated in
    accordance with Table 1.
    ■ Protect
    Program design and implementation
    The outcome for any cybersecurity program
    is the expectation that an organization can
    defend its critical cyber assets from irrepara-
    ble damage resulting from a cyberattack.
    The impact of cyberattack is different for
    every organization. As a result, the cyberse-
    curity strategy and associated program
    must be considered against the potential
    The primary objective for a risk assess-
    ment is to drive selection of adequate and
    rational controls and then assign responsi-
    bilities to manage those controls. During the
    process the environment will be character-
    ized to bring context and the existing system
    vulnerabilities, and weaknesses will be
    evaluated to select controls to offset the
    probability of compromise during an attack.
    A comprehensive cybersecurity program
    addresses administrative, physical, and
    technical controls as an integrated suite.
    Once the inherent threats and vulnerabili-
    ties are understood within the context of the
    impact they could have on the organization,
    its clients, and partners, senior executives
    must approve the risk management strategy.
    Many executives want to see all risk either
    mitigated or transferred. However, the bulk
    of companies in critical infrastructure indus-
    tries end up accepting some level of risk in
    their strategy. Cost, continuity of operations,
    or other concerns may drive the formation of
    the cybersecurity program to mitigate what
    is reasonable and accept the residual risk.
    Cybersecurity insurance is becoming an
    • Actionable policy
    and procedures
    • Guidance and
    • Corporate strategy
    • Policy
    • Results of
    • Feedback
    • Results of
    • Feedback
    TIER 3:
    TIER 1:
    TIER 2:
    Cyber Risk Organizational Structure
    and Responsibilities

    95 ■
    Executive Business Unit Systems Management
    � Prioritize critical assets
    � Establish risk appetite
    � Approve risk
    Management strategy
    � Mitigate the risk
    � Transfer the risk
    � Accept the risk
    � Approve the program
    and policies
    � Assign responsibilities
    � Provide oversight
    � Defi ne boundaries
    � Design use case
    scenarios to understand
    impact from system
    attack and compromise
    � Identify constraints for
    mitigating all risk
    � Develop a justifi ed risk
    management strategy
    � Identify all required
    users of systems or
    delegates to receive data
    on a “need to know”
    � Recommend technical
    and physical controls
    � Identify threats and
    system vulnerabilities
    � Evaluate the likelihood
    and probability of
    impact for each threat
    and vulnerability
    � Estimate the impact on
    systems and operations
    from a fi nancial,
    legal, and regulatory
    Although security programs are different
    for every company, the principles for devel-
    oping the program are fairly consistent. NIST
    Special Publication 800-53 has done a good
    job in describing the selection of controls for
    high-, medium-, and low-level impacts.
    Every organization needs access controls, but
    only those that result in national security
    impact are realistic candidates for deploying
    the high-level version of that control. Many
    executives are “sold” a package of controls
    because they are used by the NSA, but the
    question to ask is, “How does the NSA
    mission relate to our operations?”
    As discussed in the risk assessment seg-
    ment, executives have to defi ne their risk
    appetite. This is hard during the early days
    of cybersecurity program development
    because most of the C-suites have an inher-
    ently low risk appetite and do not yet under-
    stand the impact of lowering the threshold
    for control selection. As a result, cybersecu-
    rity programs are often a work in process for
    several years.
    The best cybersecurity programs are the
    ones that staff and partners will actually
    execute. Contrary to what many vendors
    and partners will tell you, the magic is not in
    the security solutions selected. Rather, the
    magic is in the ability of the organization to
    manage those solutions to mitigate risks.
    Because the security skills available in the
    industry today are low and growing increas-
    ingly rare, companies should expect to spend
    a disproportionate amount of training dol-
    lars on cybersecurity.
    Anyone working in forensic response will tell
    you that system compromise and data breach
    are rarely the result of some sophisticated
    attack that no one has ever been seen before.
    The bulk of effective attacks use vulnerabili-
    ties that have been known for years. Cross-
    site scripting, shell or SQL injection, shared
    administrator accounts, lack of patching, and
    other standard security hygiene issues are
    normally the culprits. There are two signifi –
    cant operations that go dramatically under-
    funded in most organizations: maintenance
    of systems and security controls, which leaves
    organizations vulnerable to attack.
    ■ Detect
    Program monitoring and reporting
    The days of ‘acquire, deploy, and forget’ are
    over. For years, senior executives did not
    have to participate in cybersecurity program
    Levels of Authority and Responsibility

    ■ 96
    oversight, because a combination of fi re-
    walls, malware protection, and light access
    controls were adequate to defend against
    previous generations of relatively static
    cyberattacks. Today, continuous monitoring
    is critical to see the evolving threat and tech-
    nology landscape.
    Cybersecurity programs have moved from
    a period of static defenses to active defenses,
    and we must become more nimble to success-
    fully protect critical systems and sensitive
    data. From a military perspective, think of
    this shift as moving from multiple armored
    divisions with signifi cant force and fi repower
    protecting cities or regions to the more recent
    Special Forces mindset, in which quick detec-
    tion and reaction are the key to success.
    In the previous section, we mentioned
    two areas for increased investment. The sec-
    ond area is to develop cybersecurity pro-
    grams with a much higher focus on threat
    intelligence, monitoring, and alerting. This
    requires new security solutions and specially
    trained security professionals. The old line
    of fi rewalls, malware protection, and access
    controls are still required, but much more
    active system patching, vulnerability man-
    agement, and monitoring are driving mod-
    ern security programs.
    To avoid the perception of negligence,
    senior executives often reinforce old line
    security controls that are audited for regula-
    tory compliance. However, focusing only on
    compliance will not secure an organization.
    Cyberthreats are ongoing, while compliance
    is a point-in-time review. What is needed to
    address increasing cyberthreats is a nimble
    program that can suffer an intrusion but
    repel the intruder and recover operations
    quickly. Just like a good boxer needs to be
    able to take a punch and stay in the ring,
    companies today must be able to absorb a
    cyber punch and keep operating while at the
    same time mitigating and recovering.
    Incident alerting and escalation
    Identifying a potential attack is only half the
    solution. Cybersecurity programs must alert
    the technology teams and business units
    to respond appropriately. One potential
    response is to take systems off line. Without
    executive and business unit involvement, a
    poor decision could be made.
    ■ Respond
    Response capabilities vary after discovery of a
    cybersecurity incident, and organizations are
    typically faced with two unappealing options:
    1. Pull up the drawbridge and stop the
    hoards from overrunning the castle.
    2. Keep the drawbridge down while trying
    to fi gure out where the bad guy is.
    The most immediate, and some say rational,
    response is to “pull up the drawbridge” to
    eliminate whatever access hackers have.
    Unfortunately, this alerts the bad guy that you
    know he’s inside, so whatever systems and
    accounts he may have compromised or what-
    ever backdoors he’s created will be unknown.
    On the other hand, if a company decides to
    take option two, to play it low-key and con-
    tinue with business as usual to determine the
    scope of the problem, the organization can
    determine what systems have been compro-
    mised, what new privileged accounts have
    been created, and what back doors may exist.
    This will give the company a better chance of
    long-term success in eliminating the breach
    and repairing lost or damaged information.
    One response is not necessarily better
    than the other, because situations vary.
    However, these critical decisions must be
    made almost immediately.
    ■ Adjust
    No program is ever perfect. Continuous
    monitoring and reporting will enable all
    three tiers of responsibility to constantly
    adjust the program and inform the other
    tiers of actions.
    ■ Summary
    Effective cybersecurity program develop-
    ment and oversight requires executives
    to implement and manage a distributed
    process at three levels within an organiza-
    tion: executive level; business unit level;
    and operational level (Table 2).

    SecurityRoundtable.org 97 ■
    Executive Business Unit Systems Management
    Plan � Prioritize systems
    and functions for
    � Establish risk
    � Inventory critical
    � Risk assessment
    � Select justifi ed
    � Develop an
    architecture to
    integrate controls
    � Provide periodic
    updates to executives
    to help them
    understand context
    for the program
    Protect � Approve
    program strategy
    � Approve standards
    and metrics for
    control oversight
    � Approve policies
    � Train users
    � Enforce controls
    � Design and
    manage physical
    and logical
    � Design, deploy, and
    manage technical
    Detect � Receive periodic
    threat briefi ngs
    and controls
    � Receive periodic
    education on
    changes to the
    threat landscape
    and emerging
    � Incident and
    event reporting
    form staff,
    partners and
    third parties
    � Operate system and
    control monitoring
    � Actively participate
    in threat intelligence
    Respond � Lead Incident
    Response Team
    � Participate in the
    Incident Response
    � Containment
    � Recovery
    Adjust � Allocate resources
    for program
    � Deploy enhanced
    � Deploy updated
    and physical
    � Provide advice
    for control
    If Sun Tzu lived today, he would clearly
    see the nature of current cybersecurity pro-
    grams and responsibilities and recognize that
    criticality of executive level management. We
    have to take a warrior’s attitude in develop-
    ing strategies and programs to be successful
    in combatting the cybersecurity challenges
    we face today.
    Levels of Authority and Responsibility

    Electronic version of this guide and additional content available at: SecurityRoundtable.org
    Cybersecurity legal and
    regulatory considerations

    101 ■
    Booz Allen Hamilton – Bill Stewart, Executive Vice
    President; Dean Forbes, Senior Associate; Agatha
    O’Malley, Senior Associate; Jaqueline Cooney,
    Lead Associate; and Waiching Wong, Associate
    Securing privacy and profi t in the era
    of hyperconnectivity and big data
    Companies increasingly use consumer data, including
    personal information, to stay competitive; this includes the
    capability to analyze their customers’ demographics and
    buying habits, predict future behaviors and business
    trends, and collect and sell data to third-parties. Consumers’
    willingness to share their data centers on trust, however,
    and 91% of adults believe that they have lost control over
    how their personal information is collected and used (2014
    Pew Research Center). So how do companies effectively
    manage consumer data while simultaneously building
    trust? It has been said that you cannot have good privacy
    without good security. A fi rst step is to build an effective
    security program while also better understanding what
    privacy means and how it can be a strategic business ena-
    bler in our era of hyper-connectivity and “big data”.
    ■ Why does this matter? The data economy
    The power and insights driven by consumer data has
    changed the corporate landscape. This has created the
    of adults “agree” or “strongly agree” that
    consumers have lost control over how their
    personal information is collected and used by

    ■ 102
    ■ Privacy defi nitions vary
    “Privacy” may have different meanings to
    stakeholders due to factors such as the con-
    text, prevailing societal norms, and geo-
    graphical location. There is no consensus
    defi nition of privacy, which makes it chal-
    lenging to discuss, and act upon, a need for
    privacy. However, an important central
    concept regarding privacy recurs, which is,
    the appropriate collection, use, and sharing
    of personal information to accomplish busi-
    ness tasks. Determining what appropriate
    and limited means for your customer is key
    to gaining trust and unlocking the potential
    of the data economy.
    ■ What is personal data?
    Personal information comes in variations
    such as: (1) self-reported data, or information
    people volunteer about themselves, such as
    their email addresses, work and educational
    history, and age and gender; (2) digital
    exhaust, such as location data and browsing
    history, which is created when using mobile
    devices, web services, or other connected
    technologies; and (3) profi ling data, or per-
    sonal profi les used to make predictions about
    individuals’ interests and behaviors, which
    are derived by combining self-reported, digi-
    tal exhaust, and other data. According to
    research, people value self-reported data the
    least and profi ling data the most (2015
    Harvard Business Review). For many compa-
    nies, it is that third category of data, used to
    make predictions about consumer needs, that
    truly provides the ability to create exciting,
    thrilling products and experiences. However,
    that same information is what consumers
    value the most and seek to protect.
    data economy—the exchange of digitized
    information for the purpose of creating
    insights and value. Companies are building
    entire businesses around consumer infor-
    mation, including building data-driven
    products and monetizing data streams. This
    is a supply-driven push made possible by
    widespread digitization, ubiquitous data
    storage, powerful analytics, mobile technol-
    ogy that feeds ever more information into
    the system, and the Internet of Things. This
    also has a demand-driven effect as more
    consumers expect their products to be
    “smart” and their experiences to be target-
    ed to delight them on an individual basis.
    The data economy goes beyond the tech
    industry. For example, many supermarkets
    now record what customers buy across their
    stores and track the purchasing history of
    loyalty-card members. The most competitive
    companies will sift through this data for
    trends and then, through a joint venture, sell
    the information to the vendors who stock
    their shelves. Consumer product makers are
    often willing to purchase this data in order to
    make more informed decisions about prod-
    uct placement, marketing, and branding.
    The enabler of the data economy is data
    itself. Individuals generate data. They do
    this every time they “check in” to a location
    through a mobile app, when they use a loy-
    alty card, when they purchase items online,
    and when they are tracked through their
    Internet searches. Companies gain consum-
    ers’ trust and confi dence through transpar-
    ency about the personal information that
    they gather, providing consumers control
    over uses and sharing of such information,
    and offer fair value in return.
    Facebook users share nearly 2.5 million pieces of content.
    Every minute
    Twitter users tweet nearly 300,000 times.
    YouTube users upload 72 hours of new video content.
    Amazon generates over $80,000 in online sales.

    103 ■
    Gmail service scans emails in order to target
    and tailor advertising to the user. In 2013
    Microsoft ran TV ads that claim that “your
    privacy is [Microsoft’s] priority.”
    Companies are also competing to be pri-
    vacy champions against government surveil-
    lance. For the last few years, the Electronic
    Frontier Foundation has published the “Who
    Has Your Back” list—highlighting compa-
    nies with strong privacy best practices, par-
    ticularly regarding disclosure of consumer
    information to the government.
    ■ Challenges and trends
    Maintaining compliance
    Beyond the moneymaker of the data econo-
    my, there is also a need to comply with a
    swirl of confl icting regulations on privacy.
    For global companies, this task is made more
    diffi cult as privacy regulations vary by region
    and country. Although international accords
    often serve as the basis of national laws
    and policy frameworks,1 the local variations
    complicate compliance. For example, the
    May 2014 ruling of the European Court of
    Justice on the “right to be forgotten” set a
    precedent for removing information from
    search results that are deemed to be no
    longer relevant or not in the public interest
    by affi rming a ruling by the Spanish Data
    Protection Agency. Countries across Europe
    have applied the ruling at a national level,
    which means that they are not exactly the
    same.2 Compliance with this decision has yet
    to be fully understood. Google has fi elded
    about 120,000 requests for deletions and
    granted approximately half of them.3
    Compliance is costly and complicated.
    Beyond technical issues (which were easier
    to solve), Google’s main issue with compli-
    ance was administrative—forms needed to
    be created in many languages, and dozens
    of lawyers, paralegals, and staff needed to
    be assembled to review the requests. Issues
    ■ Privacy and security intersect through
    Although privacy and security are two sepa-
    rate concepts, the importance of these two
    ideas intersect for the consumer if personal
    information is not safeguarded. In a nut-
    shell, consumers are more likely to buy from
    companies they believe protect their privacy.
    Large-scale security breaches, such as the
    recent theft of credit card information of
    56 million Home Depot consumers (2015)
    and 40 million Target shoppers (2013), pro-
    vide consumers with plenty to worry about.
    Breach-weary consumers need to know who
    to trust with their personal information, to
    ensure that only the company that they pro-
    vided the information to can use it. Risk
    management for data privacy and security
    of that data should guard against external
    malicious breaches and inadvertent internal
    breaches and third-party partner breaches.
    ■ Privacy is linked to trust—differentiate
    with it
    Trust, and the data that it allows companies
    to have access to, is a critical strategic asset.
    Privacy issues that erode trust can disman-
    tle the goodwill that a brand has spent dec-
    ades building with consumers. Forward-
    leaning companies are already moving
    toward proactively gaining the trust of their
    customers and using that as a differentiator.
    Learning from its issues with the lack of
    security on iCloud, Apple now markets all
    of the privacy features of their products and
    apps. With an eye toward the desires of its
    customers, the iPhone’s iOS 8 is encrypted
    by default. This makes all “private” infor-
    mation such as photos, messages, contacts,
    reminders, and call history inaccessible
    without a four-digit PIN and numeric pass-
    word. In 2012 Microsoft launched its “Don’t
    get Scroogled” campaign as a direct attack
    on its rival, Google, by highlighting that its
    Privacy is very often confl ated with security. While privacy is about the appropriate collec-
    tion, use, and sharing of personal information, security is about protecting such information
    from loss, or unintended or unauthorized access, use, or sharing.

    ■ 104
    remain, such as the possibility of removing
    links from Google.com as well as from
    country-specifi c search engines.
    Compliance with established laws in the
    U.S. is often topic- and industry-specifi c. For
    example, Congress has passed laws prohib-
    iting the disclosure of medical information
    (the Health Insurance Portability and
    Accountability Act), educational records
    (the Buckley Amendment), and video-store
    rentals (a law passed in response to revela-
    tions about Robert Bork’s rentals when he
    was nominated to the Supreme Court).4
    Growing data = growing target for hackers
    As data availability increases, the attractive-
    ness of datasets for hackers increases as well.
    Companies in all sectors—health care, retail,
    fi nance, government—all have datasets that
    are attractive to hackers. Just a few of the con-
    fi rmed cyberattacks that targeted consumer
    information in 2014 include: eBay, Montana
    Health Department, P.F. Chang’s, Evernote,
    Feedly, and Domino’s Pizza.5
    Beyond personal information
    Personal information (PI) is described in
    privacy and information security circles as
    information that can be used on its own or
    with other information to identify, contact or
    locate a single person, or to identify an indi-
    vidual in context. With the advent of rich
    geolocation data, and powerful associative
    analysis, such as facial recognition, the
    extent of PI is greatly expanded. Regulations
    are struggling to keep up with the changes,
    and companies can maintain consumer con-
    fi dence by collecting, using, and sharing
    consumer data with privacy in mind.
    ■ What to do? Build consumer trust
    To unlock the data economy, companies will
    need to tune in to their customer ’s needs
    and move quickly to earn and retain cus-
    tomer trust. Privacy can be a competitive
    differentiator for your business—and this
    goes beyond lip service. Appropriate privacy
    policies are needed internally, this means
    building privacy considerations into busi-
    ness operations and expected employee
    conduct, along with a clearly defi ned means
    of enforcement. Externally, this means
    building privacy considerations into the
    products and services offered to customers.
    Some of the ways to do this include the
    Create easy-to-understand consumer-facing policies
    The average website privacy policy averages
    more than 2,400 words, takes 10 minutes to
    read, and is written at a university-student
    reading level.6 No wonder half of online
    Americans are not even sure what a privacy
    policy is.7 Writing clear, easy-to-understand
    consumer-facing policies can help you
    increase the number of people who will
    actually read them, and you will gain the
    trust of your consumers. No company has a
    perfect solution, but many organizations
    have come closer. Facebook has recently
    rewritten its privacy policy for simplicity
    and included step-by-step directions for
    users.8 To increase trust, privacy policies
    should clearly state the following:
    1. the personal information that you will
    2. why data is collected and how it will
    be used and shared
    3. how you will protect the data
    4. explanation of consumer benefi t from the
    collection, use, sharing, and analysis of
    their data.
    Additionally, companies should give a clear
    and easy opt-out at every stage and only use
    data in the ways stated. To ensure that the
    data is used in the ways stated, develop clear
    internal data use and retention guidelines
    across the entire enterprise, limit internal
    access to databases, create a procedure for
    cyberattacks, and link it directly to the con-
    sumer privacy policy.
    Go “privacy by design”
    The concept of “privacy by design” is inte-
    grating and promoting privacy require-
    ments and/or best practices into systems,
    services, products, and business processes
    at the planning, design, development, and

    SecurityRoundtable.org 105 ■
    Building consumer trust includes keeping
    information safe from hackers, creating easy-
    to-understand consumer-facing policies,
    and applying the principle of “privacy by
    default”. Companies that reframe these
    actions as business enablers instead of busi-
    ness costs will thrive—and fi nd it easier to
    comply with an increasingly complex web of
    regulations. Finally, communicating your
    good work to consumers will elevate the
    profi le of your organization as a trusted part-
    ner, and pave the way for future gains.
    1. https://www.eff.org/issues/international-
    2. http://www.hitc.com/en-gb/2015/07/
    3. http://www.newyorker.com/magazine/
    4. http://www.newyorker.com/magazine/
    5. h t t p : / / w w w. f o r b e s . c o m / s i t e s /
    6. h t t p : / / w w w. c o m p u t e r w o r l d . c o m /
    a r t i c l e / 2 4 9 11 3 2 / d a t a – p r i v a c y / n e w –
    7. http://www.pewresearch.org/fact-tank/
    8. https://www.washingtonpost.com/
    b l o g s / t h e – s w i t c h / w p / 2 0 1 4 / 11 / 1 3 /
    9. https://fortunedotcom.files.wordpress
    . c o m / 2 0 1 4 / 11 / p r i v a c y a n d s e c u r i t y
    principlesforfarmdata .
    implementation stages, to ensure that busi-
    nesses meets their customer and employee
    privacy expectations, and policy and regula-
    tory requirements. The approach is a market
    differentiator that is intended to reduce
    privacy and security risks and cost by
    embedding relevant company policies into
    such designs. As such, privacy settings are
    automatically applied to devices and ser-
    vices. Privacy by design and default is
    recognized by the U.S. Federal Trade
    Commission as a recommended practice for
    protecting online privacy, and is considered
    for inclusion in the European Union’s Data
    Protection Regulation, and was developed
    by an Ontario Information and Privacy
    Communicate your good work
    Privacy policies and actions are more than
    legal disclosure; they are marketing tools.
    All the actions you take to protect consum-
    ers’ privacy should be communicated so
    they know you can be trusted. The Alliance
    of Automobile Manufacturers, representing
    companies such as Chrysler, Ford, General
    Motors, and Toyota, publicly pledged more
    transparency about how they will safe-
    guard data generated by autonomous vehi-
    cle technologies. Many groups have pub-
    lished data principles that communicate
    how data is gathered, protected, and
    ■ Conclusion
    Our current data economy brings exciting
    opportunities for companies to grow by
    enhancing their products and services. These
    innovations rely on consumers to trust your
    organization with their personal information.

    107 ■
    Data Risk Solutions: BuckleySandler LLP &
    Treliant Risk Advisors LLC – Elizabeth McGinn,
    Partner; Rena Mears, Managing Director; Stephen
    Ruckman, Senior Associate; Tihomir Yankov,
    Associate; and Daniel Goldstein, Senior Director
    Oversight of compliance
    and control responsibilities
    For too long, cybersecurity has been considered the realm
    of the Information Technology (IT) Department, with
    corporate executives assuming that the goal of cybersecu-
    rity is simply to make sure IT is secure enough to allow
    the company to use data reliably to do its business. In
    today’s economy, however, data are not only a tool for
    doing business but also a core asset of the business itself.
    The collection, analysis, and sale of rich data about one’s
    products and customers inform decision-making and
    business strategy and provide a key revenue generator
    for many companies. Because data are now so valuable,
    the increasingly pervasive and debilitating nature of
    cyberthreats poses an existential threat to the company’s
    success. Data’s value to cyber criminals also has the
    attention of federal and state regulators concerned with
    consumer privacy and safety, posing new legal and com-
    pliance challenges.
    This is why companies can no longer afford to approach
    the oversight of cybersecurity as an IT issue. Simply
    because a cyberthreat’s mode of attack usually exploits
    vulnerabilities in a company’s IT infrastructure does not
    mean that oversight should rest purely with the team that
    maintains and repairs that infrastructure. Certainly, a
    secured IT infrastructure is crucial and an important fi rst
    line of defense. However, the enterprise risk created by
    cyberthreats requires a holistic approach that considers
    the management of an entire array of impacts—from rep-
    utational to regulatory to fi nancial—that transcend core IT
    competencies and functions. Because securing today’s
    data is central to securing the company’s future, effective

    ■ 108
    encompasses the risks of fi nancial loss; busi-
    ness or operational disruption; loss or com-
    promise of assets and information; failure to
    comply with legal, regulatory, or contractual
    requirements; or damage to the reputation of
    an organization because of the unauthorized
    access to or exploitation of data assets.
    Cybersecurity is the protection of data assets
    from unauthorized electronic access or
    exploitation risks through processes
    designed to prevent, detect, and respond to
    these risks.1 Effective oversight of cybersecu-
    rity is therefore essential to a company’s
    oversight of risk management.
    Two core components of the company’s
    cybersecurity program must be overseen at
    the highest levels of management: compli-
    ance and controls. Compliance here means
    the company’s program for ensuring actual
    adherence to internal cybersecurity policies
    as well as external privacy and data protec-
    tion laws and regulations in the jurisdictions
    where the company operates. Controls mean
    the company’s systems and processes for
    protecting its data infrastructure and carry-
    ing out incident response. These components
    should be overseen actively to confi rm that
    compliance and controls are going beyond
    mechanical application of generic cybersecu-
    rity rules and standards, which may just
    establish a regulatory fl oor for corporate
    practices, not a set of industry-leading prac-
    tices, and which may not be appropriate or
    relevant to the threat landscape and unique
    regulatory requirements for the company’s
    industry. Moreover, even industry-leading
    practices quickly may become dated, because
    regulators’ views on “reasonable” cybersecu-
    rity are changing all the time.2 The legal risks
    from inattentive oversight are limited only
    by plaintiffs’ imagination and regulators’
    zeal, and the practical risks are limited only
    by hackers’ ambition and creativity.
    From a risk management perspective, the
    key inquiry revolves around the value of
    each data asset. For example, data assets
    whose business usefulness has long passed
    may still be rich in information that may be
    embarrassing to the organization if released
    publicly. So in a way, cybersecurity risks are
    oversight of cybersecurity compliance and
    controls requires leadership from the C-suite
    and the boardroom.
    Critically, this leadership must be coordi-
    nated. For a company’s cybersecurity com-
    pliance and control programs to be effective,
    efforts must be structured in ways that ensure
    the board and senior management, including
    the C-suite, work together to achieve its risk
    objectives. Each has distinct cybersecurity
    responsibilities: senior management is
    responsible for determining relevant cyber-
    related risks and implementing a compliance
    program that incorporates appropriate pro-
    cesses and controls to mitigate them, whereas
    the board is responsible for overseeing the
    risk identifi cation process and independently
    evaluating whether the program is designed,
    implemented, and operating effectively to
    meet the company’s cybersecurity risk miti-
    gation objectives. Meeting these responsibili-
    ties well requires a formalized integrated
    approach to cybersecurity risk evaluation,
    defi ned roles and responsibilities, implemen-
    tation of a program that is supported by the
    board, clearly articulated by the C-suite, and
    effectively implemented by operational
    resources. Disconnect between the board,
    C-suite, and operations poses as much of a
    challenge to corporate cybersecurity as
    cyberthreats themselves.
    ■ Cybersecurity oversight is risk management
    To understand why coordinated C-suite and
    board oversight of cybersecurity is essential,
    one must understand cybersecurity as a
    means of managing and responding to cor-
    porate risk. The purpose of risk management
    in general is to identify and mitigate the
    risks a company faces to a level acceptable to
    the enterprise as determined by the board, a
    level known as a company’s “risk appetite.”
    The strategies and objectives for managing
    risks and responding to threats are articu-
    lated in the policies, procedures, and con-
    trols of the organization and are the respon-
    sibility of senior management.
    One signifi cant and growing area of risk
    for most companies is data risk. Data risk

    109 ■
    of the organization’s risk management
    The board also has to be sure to engage in
    oversight of cybersecurity compliance and
    controls at all phases of the company’s data
    risk management “lifecycle.” See Figure 1.
    The lifecycle involves, fi rst, identifi cation—
    looking at the company’s cybersecurity risk
    profi le, identifying the key data assets that
    have to be protected (the “crown jewels”),
    and determining the applicable laws and
    regulations governing their protection; next,
    design and implementation—creating and
    implementing operational controls and com-
    pliance processes to manage the risks to those
    data assets; next, monitoring—actively over-
    seeing the compliance processes and controls;
    next, evaluation—evaluating the effectiveness
    and management of the controls and compli-
    ance processes implemented; and fi nally
    reporting and reassessment—documenting how
    the controls and compliance processes are
    working, and reassessing to the extent that
    there are gaps. The last phase of the lifecycle
    involves internal reporting on capabilities to
    respond to threats, external reporting on
    those capabilities to stakeholders (e.g., SOC 2
    reporting), and adjusting management to
    respond to internal drivers (e.g., business
    changes) and external drivers (e.g., con-
    stantly evolving regulatory requirements
    and guidance). Strong C-suite supervision
    and board oversight are needed at every
    The oversight and compliance need not
    rest on the entire board—a standing commit-
    tee comprising knowledgeable board mem-
    bers, armed with outside expertise where
    appropriate, often can provide a more
    focused and better informed oversight.
    However, whatever oversight activities are
    undertaken must be documented so that the
    board can show that it is carrying out its
    fi duciary duties.
    ■ Building blocks of effective oversight
    of cybersecurity compliance
    An organization’s cybersecurity compliance
    efforts must support the company’s busi-
    ness units and management in their efforts
    partially an extension of data retention
    risks, for what the organization does not
    have (and has no obligation to keep) cannot
    be hacked.
    Thus, the board and senior management
    must approach the oversight of cybersecuri-
    ty compliance and control from a broader
    risk management vantage point: one that
    weighs the value of the data as an asset class
    to the organization, the value that may be
    assigned by the threat actors who may seek
    the asset, and the broader impact and costs—
    including but not limited to legal and com-
    pliance costs—stemming from the potential
    compromise of data.
    In this vein, perhaps the board’s most
    critical inquiry to senior management is
    whether the organization has adopted suffi –
    cient processes to inventory and value its
    various data assets. From a cybersecurity
    perspective, senior management should
    then weigh under what circumstances,
    through what channels, and on what plat-
    forms the organization’s most critically val-
    ued data assets should be made accessible.
    ■ Board of directors’ role in oversight
    of compliance and controls
    Too often, boards have exercised limited
    oversight of cybersecurity, yet monitoring
    the management of data risk associated with
    cybersecurity is part of the board’s fi duciary
    duty to the corporation. The time for the
    board to begin to play an oversight role is not
    the moment when data actually are put at
    risk, through a breach or corporate theft; the
    board must build cybersecurity oversight
    into its general strategy for overseeing risk
    management from day one.
    Managing the risks associated with
    cybersecurity compliance and control
    involves determining one’s risk appetite in a
    variety of areas and requires senior manage-
    ment to make fundamental judgment calls
    about the design of the control environment,
    the scope and depth of the compliance
    program, and the resource allocation for
    each. The board must be well informed of
    how the corporate leadership is managing
    these risks and able to assess the adequacy

    ■ 110
    obtaining outside review for defi ciencies or
    improvements. A mechanism for periodic
    updates to the Plan should be included in
    the Plan; many companies get into trouble
    with regulators for failing to update their
    cybersecurity approach as their business
    model changes or as regulations or enforce-
    ment strategies change.
    If the company is operating in the United
    States, the Plan must be neither aspiration-
    al nor hyper-specifi c. An aspirational
    plan—one that sets out where the organiza-
    tion envisions its cybersecurity program to
    be at some point in the future—may end up
    causing the company to look like it is fall-
    ing short if regulators come calling.
    Similarly, a hyper-specifi c Plan may put the
    company at risk of technical noncompli-
    ance. In short, the Cybersecurity Risk
    Management Plan should match what the
    company actually does.
    to achieve compliance with government
    rules and regulations as well as the organi-
    zation’s internal policies and procedures by
    (1) identifying risks; (2) preventing risks
    through the design and implementation of
    controls; (3) monitoring and reporting on the
    effectiveness of those controls; (4) resolving
    compliance diffi culties as they occur; and
    (5) advising and training.3
    There are several steps the board and
    C-suite should take to provide effective
    oversight of the cybersecurity compliance
    program’s execution of all of these functions.
    First and most important, the C-suite should
    implement an enterprise-wide approach to
    compliance risk management. As part of this
    approach, the organization should create a
    formalized Cybersecurity Risk Management
    Plan that is reviewed by the board. If the
    Plan is developed internally by the corporate
    leadership, the board should consider
    Data risk management lifecycle

    111 ■
    well-developed monitoring and assessment
    processes that encourage timely internal
    communication of potential risks to the
    compliance team.
    Fourth, consistent with the risk manage-
    ment lifecycle, the C-suite should make sure
    it has effective means to test compliance in
    practice and communicate the results to the
    board. It is critical for updates to cybersecu-
    rity compliance policies to translate actually
    into updated implementation, and the board
    must be able to see—and where needed
    spur—this implementation. (See the next
    section). The C-suite also has to be able to
    test to see that cybersecurity compliance is
    taking root across the company’s operations
    and prevent ‘siloing’ within business lines
    or cost centers.
    Fifth and fi nally, the board should make
    cybersecurity compliance a priority, plain
    and simple. None of the above measures will
    be prioritized at the senior management
    level and below unless they are also the
    board’s priority.
    ■ Building blocks of effective oversight
    of cybersecurity controls
    Board and C-suite oversight of cybersecurity
    controls relates to the control of associated
    enterprise risks: legal, fi nancial, regulatory,
    and reputational, to name a few. None of
    these risks can be fully avoided, but effective
    controls can reduce their impact on the
    organization, and effective oversight can
    ensure that these controls are thorough.
    One step a board can take to provide
    effective oversight of cybersecurity controls
    is to ensure that the controls implemented
    by the C-suite contain prevention, detection,
    and rapid remediation components. Many
    companies focus on prevention and detec-
    tion, but not remediation, and then are
    caught off guard when they learn of an
    intrusion requiring immediate remediation
    that went undetected. Prevention measures
    include data inventorying, data loss preven-
    tion planning, strong perimeter and internal
    defenses, and processes for timely patching
    core software to plug security holes. Many of
    these are IT measures, but prevention is not
    Second, the C-suite should extend the
    enterprise-wide approach to compliance
    risk management to the company’s entire
    ecosystem—its vendors and other third-party
    partners (e.g., cloud services providers, out-
    side data processors). This means ensuring
    that oversight is robust for the corporate vet-
    ting of cybersecurity practices at third par-
    ties and that the contractual relationships
    with third parties allow for monitoring and
    oversight. Many technological innovations
    are leading companies to outsource aspects
    of their business involving data, but this
    comes with risks of the partners not securing
    data to the degree the company is.
    Third, the C-suite should ensure—and
    the board should monitor—the independ-
    ence of the cybersecurity compliance team
    from the company’s IT and business units.
    Given silos that frequently develop around
    the compliance, IT, and business teams, the
    C-suite ought to ensure that the compliance
    team has the resources and skills to inde-
    pendently evaluate the suffi ciency of the
    company’s cybersecurity program. If the
    compliance team is not equipped to under-
    stand what technological steps the IT team is
    or should be taking to advance the organiza-
    tion’s cybersecurity, and so defers entirely to
    their judgment, it may fail to apprehend the
    compliance implications of the steps ulti-
    mately taken.
    Of course, independence should not
    mean isolation. It is critical that these teams
    can and do speak to each other regularly:
    compliance risks arise in the IT and busi-
    ness lines, and the compliance team must
    be involved in assessing those risks. For
    example, if a new business line involves
    collection of new pieces of customer data,
    failure to ensure that data are properly
    secured and kept private from the start cre-
    ates compliance risks. Likewise, the IT
    Department’s failure to patch software in a
    timely manner creates compliance risks.
    The compliance team must be suffi ciently in
    the loop to ensure steps are being taken to
    prevent these failures, without being opera-
    tionally involved in the actual prevention
    efforts. This can be achieved through

    ■ 112
    As with cybersecurity compliance, for the
    above measures to be prioritized, they must
    be a board priority. In this vein, the board
    should check to see that cybersecurity con-
    trols are appropriately funded; none of these
    controls can be prioritized without adequate
    ■ Implementation challenges
    Even the best designed data security initia-
    tives are prone to failure if not implemented
    correctly. A common problem that can occur
    even after apparently successful program
    implementation is a disconnect between
    appropriately drafted policies and proce-
    dures on the one hand, and operational
    practices and technology infrastructure on
    the other (in-house and third party-man-
    aged), and a failure of the board to notice.
    Cybersecurity policies and procedures
    are effective only if they are tailored to the
    company’s unique business environment,
    applicable regulatory requirements, and
    known security risks. However, too often,
    boards and C-suite leadership oversee the
    development and adoption of boilerplate
    policies and procedures that, although per-
    haps built on generally appropriate founda-
    tions, are either insuffi ciently customized or
    implemented inappropriately. The resulting
    disconnects may lead not only to damaging
    data breaches and unauthorized disclosure
    of personal information but also to scrutiny
    from regulators and actions from the plain-
    tiffs’ bar. For example, the Federal Trade
    Commission (FTC) currently views the dis-
    connects between cybersecurity policies
    and procedures and their actual implemen-
    tation as unfair or deceptive trade practices
    under Section 5 of the FTC Act, and this is a
    trend that senior executives should expect
    to continue.
    It is critical to the success of a cybersecu-
    rity program that the operational uptake
    of—and ongoing adherence to—program
    requirements are measured effectively.
    Monitoring of the program not only enables
    effective reporting up to the board but also,
    more importantly, identifi es vulnerabilities
    in the program and areas for improved
    limited to IT and includes building a corpo-
    rate culture that is mindful of data risk, as is
    discussed more below.
    Detection measures include analysis of
    operational data and anomaly detection as
    well as systems for logging, monitoring, and
    testing data moving into and out of the corpo-
    rate IT environment and across various devic-
    es (e.g., from computer to cloud service or
    external storage devices), where legally per-
    missible. Rapid remediation measures include
    incident response plans that are rehearsed,
    implementation of forensic recovery tools,
    and measures to quickly restore failed sys-
    tems from back-ups. Boards should recom-
    mend appointment of a permanent incident
    response team—comprising senior manage-
    ment from IT, legal, compliance, vendor man-
    agement, PR, investor relations, and business
    lines—to lead the incident response efforts,
    report incidents and remediation plans to the
    C-suite and the board, and notify external
    regulators and customers when necessary.
    In line with the previous point, a key step
    the C-suite should take is to oversee lines of
    communication among the various parts of
    the company that either manage or make use
    of the company’s cybersecurity controls. If a
    business line is experiencing occasional bugs
    in its online customer order processing, for
    example, and IT is not informed of the issue
    in a timely manner, malware may go unde-
    tected. If an employee with database access
    quits and HR does not timely inform IT, then
    user credentials may remain active long after
    they should.
    Another key step the C-suite can take is to
    prioritize regular training of employees—at
    a minimum annually—on cybersecurity
    threats and how to avoid them. A surprising
    number of threats can be thwarted by
    employee education about suspicious
    emails, strong password practices, and cau-
    tious use of personal devices. The more
    employees at every level learn to treat data
    as a valuable asset, the more careful they will
    be. Conversely, no matter how strong a com-
    pany’s cybersecurity controls, it only takes
    one employee mistake to expose sensitive
    company data.

    113 ■
    business asset is clearly established; its value
    is verifi ed on a daily basis by those who seek
    to gain access to business networks and
    view, remove, or otherwise exploit the data
    residing there. However, resources allocated
    to cybersecurity are still frequently an IT line
    item, rather than an enterprise-wide issue.
    Businesses operating in this environment of
    perpetually evolving digital risks must rec-
    ognize that data security is no longer a cost
    of doing business; it is a core component of
    remaining in business. As such, budgets
    must be allocated appropriately to meet the
    risks. Budgets vary according to business
    type, data types and sensitivity, volume of
    data, sharing with third parties, and any
    number of other of risk factors that must be
    considered by the board and executives. The
    budgeting process has to enable the compa-
    ny to do more than get the right people and
    processes in place but also to implement
    technology that truly addresses the security
    needs of the organization. This process
    requires commitment from the C-suite and
    oversight from a board that understands the
    importance of cybersecurity.
    Cybersecurity budgeting also must
    include dedicated resources for training of
    personnel. As mentioned above, the human
    element is frequently the weakest link in an
    otherwise solid data security program. Staff
    must have the resources they need to be
    trained not only to be proactive in taking
    steps to safeguard data but also to recognize
    attempts by unauthorized parties trying to
    gain network access. Phishing, for example,
    remains a remarkably effective tool for gain-
    ing credentials that open a door to the net-
    work and the data therein, and inadequate
    training may increase a company’s vulnera-
    bility to phishing attacks. Regulators know
    this and expect board members providing
    cybersecurity oversight to know, too.
    The board and C-suite also must bear in
    mind that successful initial implementation of
    a cybersecurity program does not necessarily
    lead to a cybersecurity program that has lon-
    gevity. Ongoing success is largely dependent
    on top-down involvement by the board and
    active management by the C-suite. The board
    security. Although evaluating the effective-
    ness of a cybersecurity program would
    appear to be a core component of any suc-
    cessful implementation, many organizations
    fail to adequately address this need, often
    leading to exploited weaknesses, data
    breaches, and programmatic failure.
    Effective metrics for evaluation can be
    broken down into several categories to ena-
    ble more targeted application across the
    enterprise. Programmatic metrics measure
    the progress of various organizational com-
    ponents of the information protection pro-
    gram, such as overall program development,
    implementation, and maintenance (e.g.,
    cybersecurity policies are updated to meet
    new regulatory requirements). Operational
    metrics measure the performance of (as the
    name implies) various operational compo-
    nents of the information protection program;
    the number of cybersecurity incidents per
    reporting period is an excellent example.
    And compliance metrics measure individu-
    als’ compliance with program requirements.
    Such metrics may measure, for example,
    whether employees are observing required
    data security protocols when sending sensi-
    tive customer information to a third party
    for processing. In general, the trend for
    many of these metrics is toward the meas-
    urement of outcomes; metrics that demon-
    strate a company’s frequent intrusion detec-
    tion scanning are not helpful if the outcome
    is still a high number of intrusions each year.
    Regardless of whether your organization
    is seeking to measure programmatic, opera-
    tional, or compliance aspects of your cyber-
    security program, the metrics that you
    design must be clearly defi ned and meaning-
    ful and measure progress against a clearly
    stated objective. A properly implemented
    metrics program helps leadership ascertain
    initial uptake and improve the compliance
    with—and performance of—a well-designed
    cybersecurity program.
    Another challenge for effective imple-
    mentation of cybersecurity compliance and
    controls—and one that must be closely mon-
    itored by the board—is resource allocation.
    The recognition of data as a highly valued

    ■ 114 SecurityRoundtable.org
    ensure that these measures are being adopt-
    ed. Only with consistent C-suite involve-
    ment and strong board oversight—informed
    by an understanding of data risk as a central
    enterprise risk—can cybersecurity challeng-
    es be handled effectively.
    1. See NIST, “Framework for Improving
    Critical Infrastructure Cybersecurity”
    (2014) (defi ning “cybersecurity”). Of
    course there are many defi nitions of
    “cybersecurity”; the NIST defi nition
    adapted here is just a recent American
    2. For example, some regulators require
    certain data to be encrypted while many
    others do not. See, e.g., 201 Mass. Code
    Regs. § 1700 (2009).
    3. See International Compliance Association,
    “What is Compliance?,” available at http://
    should be apprised regularly of data security
    incidents and emerging data risks, as well as
    changes to the regulatory environment. An
    actively informed and involved board, work-
    ing in harmony with the C-suite, enables agile
    enterprise-wide response to evolving threats
    and appropriate upkeep and improvement of
    a robust cybersecurity program.
    ■ Conclusion
    Today’s cybersecurity risks affect organiza-
    tions of all sizes and across industries
    and lead to not only IT headaches but also
    headaches for the entire business. Companies
    are increasingly put into the unenviable
    position of needing to put up shields against
    a variety of cyberthreats, knowing that no
    defense can provide perfect protection.
    However, the C-suite nevertheless must
    strive to employ strong cybersecurity com-
    pliance and control measures that go beyond
    mechanical satisfaction of applicable legal
    rules, and the board has an obligation to

    115 ■
    Baker & McKenzie — David Lashway, Partner; John
    Woods, Partner; Nadia Banno, Counsel, Dispute
    Resolution; and Brandon H. Graves, Associate
    Risks of disputes and regulatory
    investigations related to
    cybersecurity matters
    Disputes and regulatory investigations are two of the
    more important risk categories related to cybersecurity
    matters. These risk categories can create signifi cant fi nan-
    cial exposure, brand risk, and distraction. In the worst
    case, some of these risks could result in bankruptcy.
    The risks related to disputes are traditional (e.g., litiga-
    tion, arbitration, and negotiation of contract terms) and
    novel (e.g., data ownership disputes). They arise not only
    in the context of data breaches but in everyday operations.
    Regulatory investigations are another source of risk.
    This risk is hard to quantify because there is not clear
    statutory authority for all regulatory investigations begun
    or threatened. This creates uncertainty for regulated enti-
    ties. The costs for non-compliance can be extensive, with
    fi nes in the millions of dollars and consent decrees author-
    izing audits for 20 years.
    These risks affect businesses even in the absence of a
    data breach incident. More businesses recognize this fact
    and are accounting for these risks in all aspects of their
    businesses. Businesses that attempt to deal with risk
    related to cybersecurity matters as an afterthought may be
    left behind.
    Many businesses are international in scope and must
    comply with cybersecurity rules and regulations in a vari-
    ety of countries. This can create a highest-common-
    denominator situation: businesses end up attempting to
    comply with the strictest regime in which they operate.
    The dynamic nature of cybersecurity matters makes it
    impossible to completely enumerate every risk associated
    with such matters. This chapter provides a short survey of
    some of the most high-profi le risks that all businesses will
    face in our current economy.

    ■ 116
    ■ Risks of disputes
    Businesses have a growing awareness of
    cybersecurity matters. As a result, cyberse-
    curity matters will increasingly impact tradi-
    tional business activities, such as contract
    Plaintiffs also have an increasing aware-
    ness of cybersecurity-related causes of
    action. Courts have been receptive to some
    of these causes of action and skeptical of oth-
    ers, but plaintiffs continue to make threats in
    pursuit of a lucrative settlement.
    Dispute risks in business activities
    Cybersecurity matters will impact every tra-
    ditional business activity, if they do not
    already. Two activities, contract negotiation
    and data processing, are already subject to
    dispute in many industries.
    1. Contract negotiation. Contractual parties,
    especially government agencies,
    are becoming more sophisticated
    about requesting provisions related
    to cybersecurity during contract
    negotiations. Frequently, these provisions
    will place additional burdens on the
    counterparty, leading to disputes during
    negotiation. Many businesses are also
    attempting to apply existing contract
    provisions to cybersecurity matters.
    When this reinterpretation is put forward
    in the wake of a security breach, the
    reinterpretation can lead to costly litigation.
    a) Flow-down provisions. Federal agencies,
    especially the Department of Defense,
    are including more flow-down
    provisions related to cybersecurity in
    their contracts with suppliers. Often,
    the agency requires its contractors
    to include these provisions in their
    contracts with subcontractors and
    other contractual counterparties. As
    these fl ow-down provisions expand
    through the supply chain, businesses
    with no direct connection with the
    federal agency will see requests—or
    demands—that they comply with
    provisions drafted without their input.
    These provisions can include security
    standards and breach disclosure require-
    ments. For instance, Defense Federal
    Acquisition Regulation Supplement
    (DFARS) 204.7300 requires “adequate
    security” for all contractors and subcon-
    tractors with systems on which con-
    trolled technical information is resident
    on or transits. As with many of these
    provisions, “adequate security” is not
    defi ned with a checklist but as “protec-
    tive measures that are commensurate
    with the consequences and probability
    of loss, misuse, or unauthorized access
    to, or modifi cation of information.”
    These same provisions include report-
    ing requirements for both actual and
    potentially adverse effects on an infor-
    mation system, which is a more strin-
    gent requirement than many state
    data breach requirements.
    Compliance with these provisions will
    be diffi cult, and the set language creat-
    ed by such provisions prevents busi-
    nesses from negotiating more concrete
    terms, forcing businesses to accept
    uncertainty as a cost of entering into
    such a contract.
    b) Liability/indemnity. Cybersecurity creates
    risk, and more businesses are looking
    to affi rmatively allocate that risk
    through contractual terms. Actuaries
    are still developing tables related
    to cybersecurity risk (Congress is
    discussing legislating on this issue), so
    the allocation of risk in a contract may
    not be based on methods as rigorous
    as those in other risk allocations. This
    will create tension between parties
    who value the risk differently.
    Cybersecurity incidents and the atten-
    dant response can be very expensive,
    with some sources placing the average
    fi nancial cost of a data breach in the
    millions of dollars. The allocation of

    117 ■
    press, which can create tension with
    notifi cation provisions.
    2. Data ownership/data processing. Most state
    breach notifi cation laws differentiate
    between data owners and data processors,
    but existing contracts do not always
    explicitly define these roles. Some
    businesses have attempted to understand
    these issues and have asserted ownership
    (or, in some cases, denied ownership) of
    data in the absence of a specifi c ownership
    allocation. This can lead to disputes in
    long-standing business relationships. One
    business may seek to sell information it is
    collecting while a contractual counterparty
    is attempting to safeguard the same data.
    Not all businesses seek to clarify this
    relationship prior to selling data, which
    can lead to signifi cant disputes when such
    sales come to light.
    In the context of a data breach
    Data breaches expose businesses to many
    additional disputes. At times, these disputes
    can be more problematic than the intrusion
    itself. Contractual counterparties, customers,
    and other impacted businesses may all seek
    some compensation in the wake of a data
    breach. Insurance companies may seek to
    avoid payment under policies that arguably
    apply, leading to additional litigation.
    1. Contractual counterparties. Most contracts
    have provisions that are either directly
    or indirectly implicated by a data breach.
    Some of these provisions are triggered
    by a breach, such as obligations to
    notify consumers whose information
    is exposed. A counterparty may allege
    that other provisions are broken by
    an intrusion, such as a requirement to
    have adequate or reasonable security.
    Businesses often struggle with whether a
    particular provision requires notifi cation,
    either because the provision itself is not
    clear or because the business believes
    that the intrusion does not rise to the
    level contemplated in the contract.
    such cost, combined with an increas-
    ing chance of an incident triggering
    these clauses, is an area likely to be
    subject to dispute both during con-
    tract negotiation and in the wake of
    a breach.
    Many contracts already contain liabil-
    ity allocation provisions, but those
    provisions do not explicitly address
    cybersecurity matters. In the wake of a
    cybersecurity incident, interpreting
    the liability allocation provisions will
    be a matter of some dispute.
    c) Data security and notifi cation. Laws,
    regulations, and political and
    consumer pressure have increased
    businesses’ focus on the security of
    consumer data. At the same time,
    consumer data have become a more
    valuable commodity. For instance,
    AT&T and Apple both contested Radio
    Shack’s ability to sell consumer data
    during Radio Shack’s bankruptcy.
    Recognizing these trends, businesses
    are placing more provisions in contracts
    that dictate security requirements.
    Because the underlying consumer data
    are valuable, these provisions may be
    subject to signifi cant disputes during
    negotiations. Other businesses are
    attempting to read existing provisions
    as covering security requirements and
    privacy responsibility.
    Many businesses that entrust sensitive
    data to counterparties are including
    breach notifi cation provisions in con-
    tracts. These provisions vary greatly,
    even within a single industry, and cre-
    ate various thresholds for notifi cation.
    For instance, some provisions require
    notifi cation in the event of a breach.
    Others require notifi cation if there is
    an indication of a breach. Many vic-
    tims of a security breach seek to keep
    the existence of a breach out of the

    ■ 118
    press, but business customers have also
    pressed for indemnifi cation in the wake
    of an intrusion.
    Disputes with business partners over data
    breaches can disrupt normal operations,
    above and beyond the disruption caused
    by the data breach itself. The need to
    resume normal operations can pressure
    the victim to quickly agree to a settlement.
    Customers will often fi le class actions in
    the wake of a data breach. Plaintiffs’ law-
    yers are growing more sophisticated in
    how and where they fi le these actions.
    Both individual consumers and fi nancial
    institutions have fi led class actions, and,
    in some cases, these class actions are con-
    solidated into complicated multidistrict
    litigation with multiple tracks for the dif-
    fering plaintiffs. This creates expensive
    and cumbersome litigation.
    3. Other impacted businesses. Contractual
    counterparties are not the only businesses
    that may sue in the wake of a data breach.
    Banks that issued cards implicated in
    Target’s data breach are suing Target, even
    if they lack any traditional relationship to
    Target. Our more interconnected society has
    spread the effects of cybersecurity problems,
    and affected parties are developing more
    creative methods to fi le suit against the
    original victim of the intrusion.
    4. Insurance. More and more insurance
    companies are offering cyber policies,
    and more businesses are attempting to
    make claims for intrusions under general
    policies. Insurance companies are, in
    turn, attempting to limit the scope of
    coverage. Some insurance companies are
    denying claims, while others are carefully
    reviewing invoices for services related to
    data breaches. The cost to respond to a
    breach can be expensive, and insurers will
    continue to dispute claims and charges.
    In some cases, this will lead to additional
    litigation after the data breach response is
    Counterparties may disagree with this
    interpretation, leading to disputes if the
    intrusion does come to light.
    Notifi cation provisions often have an
    abbreviated time frame for notifi cation.
    Attempting to identify and comply with
    notifi cation provisions of impacted coun-
    terparties can create additional stress
    beyond the already signifi cant stress
    related to a data breach. Reviewing and
    attempting to interpret these provisions
    after an intrusion also creates risk of con-
    tractual breach, as a business may not
    discover the notifi cation provision until
    after the required time frame has passed.
    In the wake of a breach, a victim’s securi-
    ty will come under scrutiny, and a con-
    tractual counterparty may argue that the
    security was inadequate under the con-
    tract. For instance, in the DFARS provi-
    sion discussed previously, “adequate
    security” is ripe for protracted litigation
    in the wake of a cybersecurity incident. It
    is diffi cult to defi ne such terms adequate-
    ly and still provide fl exibility in the face
    of changing threats.
    In some industries, such as those that deal
    with payment cards, many security
    requirements are codifi ed and subject to
    audit. The victim of a data breach may be
    subject to a more intrusive audit to con-
    fi rm its security.
    Many contracts that involve confi dential
    data have a provision for certifying that
    the confi dential data have been destroyed.
    A counterparty may rightly inquire how
    such a certifi cation was made in the wake
    of a cybersecurity incident.
    2. Customers. Many intrusions lead to
    lawsuits by customers, whether they be
    individual consumers or large businesses.
    Recent card breaches have resulted in
    signifi cant class-action litigation, and
    these cases have received much of the

    119 ■
    ■ Risks of regulatory investigations
    Certain regulators have explicit statutory
    jurisdiction over cybersecurity matters.
    Other regulatory agencies do not, but they
    attempt to regulate such matters under
    their existing, general jurisdiction. As pub-
    lic and congressional scrutiny of cybersecu-
    rity measures increases, regulators will be
    more aggressive in asserting jurisdiction
    over their regulated entities’ cybersecurity
    Federal regulators
    1. Industry regulators. Traditional regulators
    have already applied or are planning to
    apply standards related to cybersecurity
    matters to their regulated entities.
    The Federal Financial Institutions
    Examination Council (FFIEC), the Federal
    Trade Commission (FTC), the Federal
    Communications Commission (FCC),
    the Department of Health and Human
    Services (HHS), and the Department
    of Homeland Security (DHS) are some
    of the regulators that have sought to
    regulate cybersecurity matters among
    their regulated entities. In addition,
    the National Institute of Standards and
    Technology (NIST) publishes documents
    that plaintiffs and regulators apply in
    analyzing a business’s cybersecurity.
    The FFIEC has been one of the leading
    regulators with regard to cybersecurity.
    The FFIEC has had an IT examination
    handbook for several years and is devel-
    oping a tool to help fi nancial institutions
    assess risk. In addition, the FFIEC requires
    fi nancial institutions to require certain
    cybersecurity measures of the institu-
    tions’ third-party service providers, effec-
    tively expanding the FFIEC’s jurisdiction.
    The FFIEC has experience in investigating
    data breaches and imposing punishments
    based on insuffi cient security. Other regu-
    lators look to the FFIEC’s examination
    handbook to inform their own regula-
    tions and investigations.
    The FTC has been aggressive in fi ling
    administrative complaints against busi-
    nesses that, in the eyes of the FTC, do not
    adequately protect sensitive consumer
    information. The FTC requires, among
    other things, “reasonable security” but pro-
    vides no formal defi nition. This creates
    uncertainty for businesses seeking to
    understand their obligations. The FTC is
    involved in litigation in federal court
    concerning both its jurisdiction over data
    security and the standards it applies to
    businesses. Congress is considering a bill to
    formalize FTC jurisdiction over data secu-
    rity, which may further empower the FTC.
    The FCC’s Cybersecurity and
    Communications Reliability Division
    works to maintain the reliability of commu-
    nications infrastructure in the face of vari-
    ous cyberthreats. In 2014 the FCC began
    imposing substantial fi nes on wireless carri-
    ers for insuffi cient secured sensitive con-
    sumer information.
    HHS regulates cybersecurity matters
    under the Health Insurance Portability
    and Accountability Act of 1996 (HIPAA).
    Under this authority, HHS has imposed
    multimillion-dollar fi nes for insuffi cient
    data security.
    DHS is involved in coordinating informa-
    tion sharing, securing critical infrastruc-
    ture, and protecting federal cybersecurity
    assets. Currently, its programs for most
    private businesses are voluntary, but as
    Congress continues to focus on informa-
    tion sharing as a key component of reduc-
    ing cybersecurity incidents, plaintiffs and
    courts will see these programs less as
    voluntary and more as the minimum
    standard of care.
    NIST publishes an array of standards
    related to cybersecurity. Although none of
    these standards are binding on private
    entities (at least as of publication), they

    ■ 120 SecurityRoundtable.org
    are often cited as what is reasonable secu-
    rity or as industry standard. In addition,
    plaintiffs and regulators look to NIST
    standards to inform allegations made in
    complaints and investigations.
    2. Securities and Exchange Commission. The
    Securities and Exchange Commission
    (SEC), under pressure from Congress, has
    focused on public statements concerning
    data breaches. This focus encompasses
    both disclosures made after breaches and
    risk factors made in market reports. To
    date, the SEC has stated that the materiality
    analysis for data breaches is the same as for
    other risk factors, but there is little formal
    notice or adjudication on these statements,
    creating uncertainty and risk.
    The SEC released guidance on cybersecu-
    rity risks in 2011. According to the SEC,
    registrants “should disclose the risk of
    cyber incidents if these issues are among
    the most signifi cant factors that make
    an investment in the company specula-
    tive or risky.”
    The SEC, in conjunction with the Financial
    Industry Regulatory Authority, has
    engaged in enforcement actions against
    the entities they regulate for insuffi cient
    security for both customer data and
    market data.
    State regulators
    State regulators and attorneys general are
    also involved in cybersecurity matters;
    indeed, state attorneys general have been
    active in investigating data breaches. Each
    state has a different legal environment con-
    cerning data breaches. These attorneys gen-
    eral typically assert jurisdiction when the
    state’s citizens are impacted, potentially
    exposing a business to an investigation even
    if the business does not typically operate in
    the state.
    California has generally been the fi rst
    state to impose data breach notifi cation
    requirements. California passed its data
    breach notifi cation law in 2003. In the time
    since, California has expanded what data are
    covered by the statute, including most
    recently usernames and passwords. Most
    other states have similar statutes.
    Several other states, including Vermont,
    New York, and Michigan, have been par-
    ticularly active in investigations. For certain
    larger breaches, some state attorneys gen-
    eral will work together in a coordinated
    ■ Conclusion
    Cybersecurity matters create extensive risks
    for business. Foremost among these are risks
    related to disputes and regulatory investiga-
    tions. These risks are not fully defi ned and
    likely never will be.

    121 ■
    K&L Gates LLP – Roberta D. Anderson, Partner
    Legal considerations for
    cybersecurity insurance
    ■ Legal, regulatory, and additional concerns driving
    the purchase of cybersecurity insurance
    Legal liability, regulatory and other exposures surrounding cybersecurity
    and data privacy-related incidents
    In addition to a seemingly endless stream of data breaches
    and other serious cybersecurity and data protection-
    related incidents, the past several years have seen signifi –
    cantly amplifi ed legal liability surrounding cybersecurity
    and data privacy, a remarkable proliferation and expan-
    sion of cybersecurity and privacy-related laws, and
    increasingly heightened regulatory scrutiny.
    In the wake of a data breach of any consequence, an
    organization is likely to face myriad different forms of legal
    and regulatory exposure, including class action litigation,
    shareholder derivative litigation, regulatory investigation,
    the costs associated with forensic investigation, notifi cation
    to persons whose information may have been compro-
    mised, credit monitoring, call center services, public rela-
    tions expenses, and other event management activities.
    Beyond third-party liability and event management
    activities, organizations face substantial fi rst-party losses
    associated with reputational injury and damage to brand in
    the wake of a serious breach event. They also face substan-
    tial business income loss if an event disrupts normal day-
    to-day business operations. Even if an organization’s own
    system is not compromised, the organization may suffer
    signifi cant losses if an incident affects a key vendor, cloud
    provider, or any key third party in the organization’s prod-
    uct and service supply chain. Also at stake is the organiza-
    tion’s digital assets, the value of which in some cases may
    eclipse the value of the organization’s other property.
    Cybersecurity insurance can play a vital role in an
    organization’s overall strategy to address, mitigate, and
    maximize protection against the legal and other exposures
    fl owing from data breaches and other serious cybersecu-
    rity, privacy, and data protection-related incidents.

    ■ 122
    SEC’s cybersecurity risk factor disclosure guidance and
    cybersecurity insurance
    In October 2011, in the wake of what it
    phrased “more frequent and severe cyber
    incidents,” the Securities and Exchange
    Commission’s (SEC’s) Division of Corporation
    Finance issued disclosure guidance on cyber-
    security, which advises that companies
    “should review, on an ongoing basis, the
    adequacy of their disclosure relating to
    cybersecurity risks and cyber incidents.” The
    guidance advises that “appropriate disclo-
    sures may include,” among other things, a
    “[d]escription of relevant insurance cover-
    age” that the company has in place to address
    cybersecurity risk.
    SEC comments in this area have regularly
    requested information regarding “whether
    [the company] ha[s] obtained relevant insur-
    ance coverage,” as well as “the amount of [the
    company]’s cyber liability insurance.” More
    recently, the SEC is asking not only whether
    the company has cybersecurity insurance and
    how much the company has but also how
    solid the company’s coverage is:
    “We note that your network-security insur-
    ance coverage is subject to a $10 million
    deductible. Please tell us whether this
    coverage has any other signifi cant limita-
    tions. In addition, please describe for us the
    ‘certain other coverage’ that may reduce
    your exposure to Data Breach losses.”
    (Emphasis added.)
    “We note your disclosure that an unau-
    thorized party was able to gain access to
    your computer network ‘in a prior fi scal
    year.’ So that an investor is better able to
    understand the materiality of this cyber-
    security incident, please revise your dis-
    closure to identify when the cyber inci-
    dent occurred and describe any material
    costs or consequences to you as a result of
    the incident. Please also further describe
    your cyber security insurance policy,
    including any material limits on cover-
    age.” (Emphasis added.)
    The SEC’s guidance provides another com-
    pelling reason for publicly traded companies
    to carefully evaluate their current insurance
    program and consider purchasing cyberse-
    curity insurance.
    ■ The exclusion of cybersecurity and data
    privacy-related coverage from traditional
    insurance policies
    In response to decisions upholding coverage
    for cybersecurity and data privacy-related
    risks under traditional lines of insurance cov-
    erage, such as Commercial General Liability
    (CGL) coverage, the insurance industry has
    added various limitations and exclusions to
    traditional lines of coverage.
    By way of example, Insurance Services
    Offi ce (ISO), the insurance industry organi-
    zation that develops standard insurance pol-
    icy language, recently introduced a new
    series of cybersecurity and data breach exclu-
    sionary endorsements to its standard-form
    CGL policies, which became effective in May
    2014. One of the endorsements, entitled
    “Exclusion – Access Or Disclosure Of
    Confi dential Or Personal Information And
    Data-Related Liability – Limited Bodily Injury
    Exception Not Included,” adds the following
    exclusion to the primary CGL policy:
    This insurance does not apply to:
    p. Access Or Disclosure Of Confi dential Or
    Personal Information And Data-related
    Damages arising out of:
    (1) Any access to or disclosure of any
    person’s or organization’s confi dential
    or personal information, including
    patents, trade secrets, processing
    methods, customer lists, fi nancial
    information, credit card information,
    health information or any other type
    of non public information; or
    (2) The loss of, loss of use of, damage to,
    corruption of, inability to access, or
    inability to manipulate electronic data.
    This exclusion applies even if damages
    are claimed for notifi cation costs, credit

    123 ■
    ■ Types of cybersecurity insurance
    Established coverages
    There are a number of established third-
    party coverages (i.e., covering an organiza-
    tion’s potential liability to third parties) and
    fi rst-party coverages (e.g., covering the
    organization’s own digital assets and income
    loss) as summarized in Table 1:
    Emerging markets
    In addition to the established coverages,
    three signifi cant emerging markets provide
    coverage for the following:
    � fi rst-party losses involving physical asset
    damage after an electronic data-related
    � third-party bodily injury and property
    damage that may result from an electronic
    data-related incident
    monitoring expenses, forensic expenses,
    public relations expenses or any other
    loss, cost or expense incurred by you or
    others arising out of that which is
    described in Paragraph (1) or (2) above.
    In connection with its fi ling of the endorse-
    ments, ISO stated that “when this endorse-
    ment is attached, it will result in a reduction
    of coverage. . . .”
    Although there may be signifi cant poten-
    tial coverage for cybersecurity and data
    privacy-related incidents under an organiza-
    tion’s traditional insurance policies, includ ing
    its Directors’ and Officers’ Liability,
    Professional Liability, Fiduciary Liability,
    Crime, CGL, and Commercial Property poli-
    cies, the new exclusions provide another
    reason for organizations to carefully consider
    specialty cybersecurity insurance products.
    Type Description
    Privacy liability Generally covers third-party liability, including defense and
    judgments or settlements, arising from data breaches, such as
    the Target breach, and other failures to protect protected and
    confi dential information
    Network security
    Generally covers third-party liability, including defense and
    judgments or settlements, arising from security threats to
    networks, e.g., inability to access the insured’s network
    because of a DDoS attack or transmission of malicious code
    to a third-party network
    Regulatory liability Generally covers amounts payable in connection with
    administrative or regulatory investigations and proceedings,
    including regulatory fi nes and penalties
    PCI DSS liability Generally covers amounts payable in connection with payment
    card industry demands for assessments, including contractual
    fi les and penalties, for alleged noncompliance with PCI Data
    Security Standards
    Media liability Generally covers third-party liability arising from infringement
    of copyright or other intellectual property rights and torts such
    as libel, slander, and defamation, which arise from media-related
    activities, e.g., broadcasting and advertising

    ■ 124
    � reputational injury resulting from an
    incident that adversely affects the public
    perception of the insured organization or
    its brand.
    Because privacy and electronic data-related
    exclusions continue to make their way into
    traditional property and liability insurance
    policies, and given that an organization’s
    largest exposures may fl ow from reputational
    injury and brand tarnishment, these emerg-
    ing coverages will be increasingly valuable.
    ■ Strategic tips for purchasing cybersecurity
    Cybersecurity insurance coverage can be
    extremely valuable, but choosing the right
    insurance product presents signifi cant chal-
    lenges. A diverse and growing array of prod-
    ucts is in the marketplace, each with its own
    insurer-drafted terms and conditions that
    vary dramatically from insurer to insurer—
    and even between policies underwritten by
    the same insurer. In addition, the specifi c
    needs of different industry sectors, and dif-
    ferent organizations within those sectors, are
    far-reaching and diverse.
    Although placing coverage in this dynam-
    ic space presents a challenge, it also presents
    substantial opportunity. The cyber insurance
    market is extremely competitive, and cyber
    insurance policies are highly negotiable.
    This means that the terms of the insurers’
    off-the-shelf policy forms often can be sig-
    nifi cantly enhanced and customized to
    respond to the insured’s particular circum-
    stances. Frequently, very signifi cant enhance-
    ments can be achieved for no increase in
    The following are fi ve strategic tips for
    purchasing cyber insurance:
    Adopt a team approach.
    Successful placement of cybersecurity insur-
    ance coverage is a collaborative undertak-
    ing. Because of the nature of the product and
    the risks that it is intended to cover, success-
    ful placement requires the involvement and
    input not only of a capable risk management
    department and a knowledgeable insurance
    broker but also of in-house legal counsel and
    IT professionals, resources, and compliance
    personnel—and experienced insurance cov-
    erage counsel.
    Type Description
    Crisis management Generally covers “crisis management” expenses that typically
    follow in the wake of a breach incident, e.g., breach notifi cation
    costs, credit monitoring, call center services, forensic
    investigations, and public relations efforts
    Generally covers the organization’s income loss associated
    with the interruption of the its business caused by the failure of
    computer systems/networks
    Generally covers the organization’s income loss associated with
    the interruption of the its business caused by the failure of a
    third-party’s computer systems/networks
    Digital assets Generally covers the organization’s costs associated with
    replacing, recreating, restoring, and repairing damaged or
    destroyed computer programs, software, and electronic data
    Extortion Generally covers losses associated with cyber extortion, e.g.,
    payment of an extortionist’s demand to prevent a cybersecurity
    or data privacy-related incident

    125 ■
    Understand risk profi le and tolerance.
    A successful insurance placement is facili-
    tated by having a thorough understanding
    of an organization’s risk profi le, including
    the following:
    � the scope and type of data maintained by
    the company and the location and manner
    in which, and by whom, such data are
    used, transmitted, handled, and stored
    � the organization’s network infrastructure
    � the organization’s cybersecurity, privacy,
    and data protection practices
    � the organization’s state of compliance
    with regulatory and industry standards
    � the use of unencrypted mobile and other
    portable devices.
    Many other factors may warrant considera-
    tion. When an organization has a grasp on its
    risk profi le, potential exposure, and risk tol-
    erance, it is well positioned to consider the
    type and amount of insurance coverage that
    it needs to adequately respond to identifi ed
    risks and exposure.
    Ask the right questions.
    It is important to carefully evaluate the cov-
    erage under consideration. Table 2 shows ten
    of the important questions to ask when con-
    sidering third-party and fi rst-party cyber
    The list is not exhaustive, and many other
    questions should be considered, including,
    for example, the extent to which the policy
    Third-Party First-Party
    Does the policy:
    cover the acts, errors, and omissions of
    third parties, e.g., vendors, for which
    the organization may be liable?
    Does the policy:
    cover business income loss resulting from
    system failures in addition to failures of
    network security, e.g., any unplanned
    cover data in the care, custody, or
    control of third parties, e.g., cloud
    cover business income loss resulting from
    cloud failure?
    cover new and expanding privacy laws
    and regulations?
    cover contingent business income loss resulting
    from the failure of a third-party network?
    cover personally identifi able information
    in any form, e.g., paper records?
    cover data restoration costs?
    cover confi dential corporate data, e.g.,
    third-party trade secrets?
    cover business income loss after a network
    is up and running, but before business
    returns to full pre-incident operation?
    cover wrongful or unauthorized
    collection of data?
    contain hourly sublimits?
    cover regulatory fi nes and penalties? contain an hourly “waiting period”?
    cover PCI DSS-related liability? contain a sublimit applicable to the
    contingent business income coverage?
    exclude the acts of “rogue” employees? exclude loss for power failure or blackout/
    exclude unencrypted devices? exclude software programs that are
    unsupported or in a testing stage?

    ■ 126
    an organization’s cybersecurity and data
    protection practices, seeking detailed informa-
    tion surrounding technical, complex subject
    matter. These questions are often answered by
    technical specialists who may not appreciate
    the nuances and idiosyncrasies of insurance
    coverage law. For these reasons, it is advisable
    to have insurance coverage counsel involved
    in the application process.
    ■ Tips for prevailing in cyber insurance
    coverage litigation
    As CNA’s recently fi led coverage action in the
    Columbia Casualty case illustrates, cybersecu-
    rity insurance coverage disputes and litigation
    are coming. In the wake of a data breach or
    other privacy, cybersecurity, or data protection-
    related incident, organizations should antici-
    pate that their insurer may deny coverage for
    a resulting claim against the policy.
    Before a claim arises, organizations are
    encouraged to proactively negotiate and
    place the best possible coverage to decrease
    the likelihood of a coverage denial. In con-
    trast to many types of commercial insurance
    policies, cybersecurity policies are extremely
    negotiable, and the insurer’s off-the-shelf
    forms can usually be signifi cantly negotiated
    and improved for no increase in premium. A
    well-drafted policy will reduce the likeli-
    hood that an insurer will be able to success-
    fully avoid or limit insurance coverage in the
    event of a claim.
    Even where a solid form is in place, how-
    ever, and there is a solid claim for coverage
    under the policy language and applicable
    law, insurers can and do deny coverage.
    When facing coverage litigation, organi-
    zations are advised to consider the following
    fi ve strategies to prevail:
    Tell a concise, compelling story.
    In complex insurance coverage litigation,
    there are many moving parts and the issues
    are typically nuanced and complex. It is criti-
    cal, however, that these nuanced, complex
    issues come across to a judge, jury, or arbitra-
    tor as simple and straightforward. Getting
    overly caught up in the weeds of policy inter-
    pretive and legal issues, particularly at the
    covers, or excludes, cyberterrorism. In all
    cases, the organization should request a ret-
    roactive date of at least 1 year prior to the
    policy inception, given that advanced attacks
    go undetected for a median of 229 days.
    Beware the fi ne print.
    Like any other insurance policy, cybersecuri-
    ty insurance policies contain exclusions that
    may signifi cantly curtail and undermine the
    purpose of the coverage. Some insurers, for
    example, may insert exclusions based on
    purported shortcomings in the insured’s
    security measures. One case recently fi led in
    the California federal court on May 7, 2015,
    highlights the problems with these types of
    exclusions. The case is Columbia Casualty
    Company v. Cottage Health System, in which
    Columbia Casualty, CNA’s non-admitted
    insurer, seeks to avoid coverage under a
    cybersecurity insurance policy for the defense
    and settlement of a data breach class action
    lawsuit and related regulatory investigation.
    CNA relies principally upon an exclusion,
    entitled “Failure to Follow Minimum
    Required Practices,” which purports to void
    coverage if the insured fails to “continuously
    implement” certain aspects of computer
    security. These types of broadly worded,
    open-ended exclusions can be acutely prob-
    lematic and impracticable. If enforced liter-
    ally, they may vaporize the coverage that the
    policy is intended to provide. The good news
    is that, although certain types of exclusions
    are unrealistic given the nature of the risk an
    insured is attempting to insure against,
    cybersecurity insurance policies are highly
    negotiable. It is possible to cripple inappro-
    priate exclusions by appropriately curtailing
    them or to entirely eliminate them—and
    often this does not cost additional premium.
    Pay attention to the application.
    CNA in the Columbia Casualty case also seeks
    to deny coverage based upon alleged misrep-
    resentations contained in the insured’s insur-
    ance application relating to the risk controls.
    The important takeaway is that cybersecurity
    insurance applications can, and usually
    do, contain a myriad of questions concerning

    127 ■
    CNA represented in its marketing materials
    that the policy at issue in Columbia Casualty
    offers “exceptional fi rst-and third-party cyber
    liability coverage to address a broad range of
    exposures,” including “security breaches”
    and “mistakes”:
    Cyber liability and CNA NetProtect
    CNA NetProtect fills the gaps
    by offering exceptional fi rst- and third-
    party cyber liability coverage to address a
    broad range of exposures. CNA
    NetProtect covers insureds for exposures
    that include security breaches, mistakes,
    and unauthorized employee acts, virus
    attacks, hacking, identity theft or private
    information loss, and infringing or dis-
    paraging content. CNA NetProtect cover-
    age is worldwide, claims-made with
    limits up to $10 million.
    It is important to use the discovery phase
    to fully fl esh out the context of the insur-
    ance and the entire insurance transaction in
    addition to the meaning, intent, and inter-
    pretation of the policy terms and condi-
    tions, claims handling, and other matters
    depending on the particular circumstances
    of the coverage action.
    Secure the best potential venue and choice of law.
    One of the fi rst and most critical decisions
    that an organization contemplating insur-
    ance coverage litigation must make is the
    appropriate forum for the litigation. This
    decision, which may be affected by whether
    the policy contains a forum selection clause,
    can be critical to potential success, among
    other reasons because the choice of forum
    may have a signifi cant impact on the related
    choice-of-law issue, which in some cases is
    outcome-determinative. Insurance contracts
    are interpreted according to state law and
    the various state courts diverge widely on
    issues surrounding insurance coverage.
    Until the governing law applicable to an
    insurance contract is established, the policy
    can be, in a fi gurative and yet a very real
    sense, a blank piece of paper. The different
    outset, risks losing the organization’s critical
    audience and obfuscating a winningly con-
    cise, compelling story that is easy to under-
    stand, follow, and sympathize with. Boiled
    down to its essence, the story may be—and in
    this context often is—something as simple as
    the following:
    “They promised to protect us from a cyber
    breach if we paid the insurance premium. We
    paid the premium. They broke their promise.”
    Place the story in the right context.
    It is critical to place the story in the proper
    context because, unfortunately, many insur-
    ers in this space, whether by negligent defi cit
    or deliberate design, are selling products that
    do not refl ect the reality of e-commerce and
    its risks. Many off-the-shelf cybersecurity
    insurance policies, for example, limit the
    scope of coverage to only the insured’s own
    acts and omissions, or only to incidents that
    affect the insured’s network. Others contain
    broadly worded, open-ended exclusions such
    as the one at issue in the Columbia Casualty
    case, which, if enforced literally, would large-
    ly if not entirely vaporize the coverage osten-
    sibly provided under the policy. These types
    of exclusions can be acutely problematic and
    impracticable. A myriad of other traps in
    cyber insurance policies—even more in those
    that are not carefully negotiated—may allow
    insurers to avoid coverage if the language
    were applied literally.
    If the context is carefully framed and
    explained, however, judges, juries, and arbi-
    trators should be inhospitable to the various
    “gotcha” traps in these policies. Taking the
    Columbia Casualty case as an example, the
    insurer, CNA, relies principally upon an
    exclusion, entitled “Failure to Follow
    Minimum Required Practices,” which pur-
    ports to void coverage if the insured fails to
    “continuously implement” certain aspects of
    computer security. In this context, however,
    comprising the extremely complex areas of
    cybersecurity and data protection, any insured
    can reasonably be expected to make mistakes
    in implementing security. This reality is, in
    fact, a principal reason for purchasing cyber
    liability coverage in the fi rst place. In addition,

    ■ 128 SecurityRoundtable.org
    Importantly, it will give the organization
    unique access to compelling arguments based
    upon the context, history, evolution, and
    intent of this line of insurance product.
    Likewise, during the discovery phase, cover-
    age counsel with unique knowledge and
    experience is positioned to ask for and obtain
    the particular information and evidence that
    can make or break the case—and will be able
    to do so in a relatively effi cient, streamlined
    manner. In addition to creating solid ammu-
    nition for trial, effective discovery often leads
    to successful summary judgment rulings,
    thereby, at a minimum, streamlining the case
    in a cost-effective manner and limiting the
    issues that ultimately go to a jury. Likewise,
    counsel familiar with all of the many different
    insurer-drafted forms as they have evolved
    over time will give the organization key
    access to arguments based upon obvious and
    subtle differences between and among the
    many different policy wordings, including
    the particular language in the organization’s
    policy. Often in coverage disputes, the multi-
    million dollar result comes down to a few
    words, the sequence of a few words, or even
    the position of a comma or other punctuation.
    ■ Conclusion
    Cyber insurance coverage can be extremely
    valuable. Although placing coverage in this
    dynamic space presents challenges, it also
    presents substantial opportunities. Before a
    claim arises, organizations are encouraged to
    proactively negotiate and place the best pos-
    sible coverage in order to decrease the likeli-
    hood of a coverage denial and litigation. In
    contrast to many other types of commercial
    insurance policies, cyber insurance policies
    are extremely negotiable, and the insurers’
    off-the-shelf forms typically can be signifi –
    cantly negotiated and improved for no
    increase in premium. A well-drafted policy
    will reduce the likelihood that an insurer
    will be able to successfully avoid or limit
    insurance coverage in the event of a claim. If
    a claim arises, following sound litigation
    strategies and refusing to take “no” for an
    answer will greatly increase the odds of
    securing valuable coverage.
    interpretations given the same language
    from one state to the next can mean the dif-
    ference between a coverage victory and a
    loss. It is therefore critical to undertake a
    careful choice of law analysis before initiat-
    ing coverage litigation or selecting a venue
    or, where the insurer fi les fi rst, before taking
    a choice of law position or deciding whether
    to challenge the insurer’s selected forum.
    Consider bringing in other carriers.
    Often when there is a cybersecurity, privacy,
    or data protection-related issue, more than
    one insurance policy may be triggered. For
    example, a data breach like the Target breach
    may implicate an organization’s cybersecu-
    rity insurance, CGL insurance, and Directors’
    and Offi cers’ Liability insurance. To the
    extent that insurers on different lines of cov-
    erage have denied coverage, it may be ben-
    efi cial for the organization to have those
    insurance carriers pointing the fi nger at each
    other throughout the insurance coverage
    proceedings. Again considering the context,
    a judge, arbitrator, or jury may fi nd it offen-
    sive if an organization’s CGL insurer is argu-
    ing, on the one hand, that a data breach is
    not covered because of a new exclusion, and
    the organization’s cybersecurity insurer also
    is arguing that the breach is not covered
    under the cyber policy that was purchased
    to fi ll the “gap” in coverage created by the
    CGL policy exclusion. Relatedly, it is impor-
    tant to carefully consider the best strategy
    for pursuing coverage in a manner that will
    most effectively and effi ciently maximize the
    potentially available coverage across the
    insured’s entire insurance portfolio.
    Retain counsel with cybersecurity insurance expertise.
    Cybersecurity insurance is unlike any other
    line of coverage. There is no standardization.
    Each of the hundreds of products in the mar-
    ketplace has its own insurer-drafted terms
    and conditions that vary dramatically from
    insurer to insurer—and even between poli-
    cies underwritten by the same insurer.
    Obtaining coverage litigation counsel with
    substantial cybersecurity insurance expertise
    assists an organization on a number of fronts.

    129 ■
    Wilson Elser Moskowitz Edelman & Dicker LLP –
    Melissa Ventrone, Partner and Lindsay Nickle, Partner
    Consumer protection: What is it?
    From a legal perspective, consumer protection is the
    application of rules and regulations to agencies, busi-
    nesses, and organizations that require them to protect
    their customers from intentional and unintentional harm.
    Instead of caveat emptor, or buyer beware, the business
    entity has a mandate to protect its customers from the bad
    things that may befall them. In essence, the government
    has decided it is the business’s responsibility to protect
    the least sophisticated consumers from themselves and
    what may happen to them.
    The intersection of consumer protection and cyber-
    security imposes a responsibility on businesses to
    protect their consumers’ information. Unlike many
    areas of business, when an organization is the victim
    of a criminal attack, such as being hacked, the busi-
    ness is not considered a victim. Instead, the customers
    are considered the victims, and the business becomes
    a potential scapegoat—the target of inquiries, investi-
    gations, irate customers, reputational harm, and lost
    business, even though it was the business that suf-
    fered the criminal activity. Leading experts agree that
    no organization is immune from cyberattacks and that
    impenetrable data security is not possible. Nevertheless
    the media and the public continue to vilify and hold
    businesses responsible for failing to do what experts
    agree cannot be done.
    Consumers demand that organizations safeguard
    their privacy and protect their information from data
    breaches; however, those same consumers are impatient
    and intolerant when security measures slow services or
    degrade usability. Some may terminate their relation-
    ships as a result, jumping ship to underfunded start-ups
    simply because consumers want what they want, and
    they want it now.

    ■ 130
    What does this mean? Well, according to an
    FTC report, this means that an organization’s
    data security measures must be “reasonable
    and appropriate in light of the sensitivity and
    volume of consumer information it holds, the
    size and complexity of its data operations, and
    the cost of available tools to improve security
    and reduce vulnerabilities.” In other words,
    the FTC can choose to investigate an organiza-
    tion simply because the FTC believes the
    organization is doing a poor job protecting
    consumers’ information. Confused? You are
    not alone. Frankly, it appears that the FTC
    views poor cybersecurity practices a bit like
    courts view pornography—they know it
    when they see it.
    Organizations looking for guidance
    from the FTC on appropriate security
    measures to protect consumer information
    may fi nd themselves twisting in the wind
    like the last leaf on a tree. The FTC has not
    issued any detailed guidelines on what
    constitutes “reasonable security measures.”
    To be fair, the FTC most likely struggles, as
    do many agencies, with establishing guide-
    lines that are fl exible enough to apply to a
    wide range of organizations in a variety of
    industries, yet structured enough to set a
    The FTC addressed this argument by
    instructing companies to review its previous
    consent decrees to identify “reasonable”—
    or more appropriately, what it considered to
    be unreasonable—security standards. Thus,
    in the midst of day-to-day operations, the
    FTC apparently expects an organization to
    carefully review a multitude of previous
    consent decrees to identify what it should be
    doing to reasonably protect consumers’
    Organizations can also review a 15-page
    guide the FTC published in 2011, Protecting
    Personal Information: A Guide for Business.
    This guide informs organizations that a
    “sound business plan” is based on fi ve
    � Know what information you have and
    who has access to the information.
    Adding to the diffi culty of trying to bal-
    ance data privacy and security with innova-
    tion and usability, organizations must con-
    currently maintain compliance with the
    myriad of state and federal data privacy
    and security laws, regulations, and guide-
    lines. It would take several books to outline
    all the laws, regulations, and guidelines
    that affect consumer protection and cyber-
    security. This chapter is designed to pro-
    vide organizations with an understanding
    of those laws that have the most signifi cant
    impact on privacy and security from a con-
    sumer protection perspective. There is no
    better place to start this discussion than by
    examining the recent activities of the
    Federal Trade Commission (FTC).
    ■ Cybersecurity, consumer protection,
    and the FTC
    The FTC has deemed itself the enforcer of
    data privacy and security, the ultimate
    authority responsible for protecting con-
    sumer privacy and promoting data security
    in the private sector. In fact, the FTC com-
    monly is considered the most active agency
    in the world in this area. Although the
    debate continues on whether the FTC has
    authority to police data privacy and security
    under section 5 of the FTC Act, organizations
    must be aware that the FTC and other regu-
    lators are monitoring practices and investi-
    gating and enforcing various laws under the
    guise of privacy and cybersecurity as a con-
    sumer protection issue.
    The FTC regulates this space under sec-
    tion 5 of the FTC Act, which prohibits unfair
    or deceptive practices. The FTC may choose
    to investigate an organization if it believes
    that the organization has made materially
    misleading statements or omissions regard-
    ing the security provided for consumers’
    personal data. Further, according to a pre-
    pared statement by the FTC, “a company
    engages in unfair acts or practices if its data
    security practices cause or are likely to cause
    substantial injury to consumers that is nei-
    ther reasonably avoidable by the consumer
    nor outweighed by countervailing benefi ts
    to consumers or to competition.”

    131 ■
    priority is the strengthening of cybersecurity
    in the marketplace, particularly as it pertains
    to the fi nancial industry and those businesses
    and organizations that provide services in the
    fi nancial sector. To that end, in the summer of
    2014, the FFIEC completed a cybersecurity
    assessment involving more than 500 commu-
    nity fi nancial institutions with the goal of
    determining how prepared those institutions
    were to mitigate cyber risks. The results are
    instructive as potential standards for the
    efforts an organization should take when its
    operations interact with or are tangential to
    the fi nancial industry, or simply when a busi-
    ness collects, stores, or shares consumers’
    private information.
    Cyber preparedness—which is the crux
    of consumer protection—encompasses the
    � Risk management and oversight:
    Organizations should proactively train
    employees, allocate resources, and exercise
    control and supervision of cybersecurity
    operations. This includes involving upper-
    level management and boards.
    � Threat intelligence: A business should
    undertake processes to educate, identify,
    and track cyber activities, vulnerabilities,
    and threats.
    � Cybersecurity controls: Businesses
    should implement controls to prevent
    unauthorized access or exposure of
    information, to detect attacks or attempts
    to compromise systems, and to correct
    known and identifi ed vulnerabilities.
    As the industry begins to more fully
    recognize the futility of keeping malicious
    attackers outside the network perimeter,
    companies also should implement
    controls that more quickly identify when
    malicious activity takes place inside the
    � External dependency management:
    Organizations should have processes in
    place to manage vendors and third-party
    service providers and help ensure that
    connections to systems are secure, as well
    as processes to audit and evaluate the
    third-party’s cybersecurity protections.
    � Keep only that information needed to
    conduct business.
    � Protect the information in your control.
    � Properly dispose of information that is no
    longer needed.
    � Prepare a plan for responding to security
    Although this may have been an accurate list
    in 2011, any company that limits its cyberse-
    curity program to these fi ve principles will
    quickly discover its inadequacies. The FTC
    claims to recognize that there is no one-size-
    fi ts-all data security program, no program is
    perfect, and the mere fact that a breach
    occurs does not mean a company has vio-
    lated the law.
    Organizations must be aware of the
    FTC’s heightened activity in this space.
    Right now, data privacy and protection of
    consumer information has the public’s
    attention and is sometimes used as a politi-
    cal platform. Organizations must have an
    in-depth understanding of their cybersecu-
    rity posture, identify key vulnerabilities,
    and have a plan to either mitigate or remedi-
    ate problems. Failure to place consumer
    protection and cybersecurity at the top of its
    priority list may land an organization in the
    FTC’s crosshairs.
    ■ Cybersecurity, consumer protection,
    and the fi nancial industry
    As in other industries, cybersecurity and
    consumer protection in the fi nancial sector
    are a patchwork of federal statutes, regula-
    tions, agencies, and enforcers. There are fi ve
    federal banking regulatory agencies: the
    Offi ce of the Comptroller of the Currency
    (OCC), the Board of Governors of the Federal
    Reserve System (FRB), the Federal Deposit
    Insurance Corporation (FDIC), the National
    Credit Union Administration (NCUA), and
    the Consumer Financial Protection Bureau
    (CFPB). A representative from each of them
    sits on the Federal Financial Institutions
    Examination Council (FFIEC), which is
    empowered to set out principles, standards,
    and forms for the uniformity of the supervi-
    sion of fi nancial institutions. A top FFIEC

    ■ 132
    regulatory agencies and state insurance
    Those entities governed by the SEC
    (Securities and Exchange Commission) and
    FINRA (Financial Industry Regulatory
    Authority) are expressly required to devel-
    op written identity theft prevention pro-
    grams and, in the face of a breach, will
    likely face questions regarding cybersecu-
    rity policies and efforts. Further, the regula-
    tions imposing these requirements mandate
    that upper-level management signs off on
    any written program and participates in its
    administration. As the goal of these require-
    ments is to protect customer information,
    an organization should be mindful to
    design programs that consider the nature of
    the organization’s operations, as well as its
    size and complexity, so that the plan can be
    effectively implemented to achieve its
    desired goals.
    The OCC recommends all banks and
    fi nancial institutions implement incident
    response and business continuity plans
    and test those plans regularly. It also sets
    supervisory expectations about how fi nan-
    cial institutions and third-party service
    providers in the fi nancial sector can and
    should safeguard sensitive information.
    The OCC conducts on-site audits of fi nan-
    cial institutions and certain third-party ser-
    vice providers to confi rm compliance. The
    OCC also gets involved in the aftermath of
    cyberattacks to assess the corrective actions
    that fi nancial institutions take in response.
    The OCC is vested with the authority to
    require the banks subject to their regulation
    and the banks’ service providers to take
    steps to protect systems, prevent loss or
    theft of sensitive information, and mitigate
    identity theft.
    In 2007, under the terms of the Fair and
    Accurate Credit Transactions Act, the OCC,
    FRB, FDIC, NCUA, and FTC issued regula-
    tions requiring creditors and fi nancial insti-
    tutions to develop and implement formal
    written programs aimed at identifying and
    preventing identity theft (the Red Flags
    Rule). Large banks have resident OCC
    investigators trained to assess cybersecurity
    � Cyber incident management and
    resilience: Organizations should have
    procedures and processes to detect incidents,
    respond to those incidents, mitigate the
    impact of the incidents, document and
    report on the incidents, and provide for
    recovery and business continuity.
    Within the fi nancial sector, and regarding
    businesses that interact with the fi nancial
    sector, these can reasonably be considered
    the components of due diligence. Efforts to
    protect consumers from the dangers of the
    exposure of personal information entrusted
    to a business involve guiding the organiza-
    tion through these steps on a scale appropri-
    ate to the size of the business and the scope
    of the information involved.
    Adding to the complexity of compliance,
    there are multiple statutes and regulations
    that expressly require businesses to under-
    take security measures and notify consumers
    regarding privacy and information-sharing
    practices. The Gramm-Leach-Bliley Act
    (GLBA) and the corresponding regulations
    adopted to implement its requirements are
    aimed at protecting consumer interests.
    Similar to other regulations, businesses are
    required by the GLBA Safeguard Rule to
    use “reasonable security measures” to pro-
    tect consumer information that they collect
    and store. In the fi nancial services industry,
    this often includes highly sensitive infor-
    mation, such as Social Security numbers,
    fi nancial account numbers, and income and
    credit histories.
    Fortunately, the GLBA outlines, at least in
    some fashion, what constitutes “reasonable
    security measures.” For instance, the GLBA
    Safeguard Rule requires the development
    and implementation of a written informa-
    tion security plan. In addition, the Rule
    requires companies to provide an annual
    written privacy notice to its customers that
    clearly, conspicuously, and accurately
    explains its information-sharing practices
    and provides customers the right to opt out
    of the organization’s sharing practices. Both
    of these consumer protections are enforced
    by the FTC along with several other federal

    133 ■
    other organizations that may receive health
    information from covered entities while
    performing various services. HIPAA is
    enforced primarily by the U.S. Department
    of Health and Human Services Offi ce of
    Civil Rights (OCR). State attorneys general
    also have the authority to enforce HIPAA.
    OCR’s authority to enforce HIPAA
    encompasses covered entities regardless of
    size and their “business associates,” a term
    that includes fi rst-tier vendors that contract
    directly with covered entities and all down-
    stream entities that receive PHI in the course
    of their business. Perhaps the most helpful
    aspect of HIPAA is that it specifi es privacy
    requirements that covered entities must fol-
    low, as well as identifi es security elements
    for covered entities to consider.
    The HIPAA Privacy Rule outlines stand-
    ards for the use and disclosure of all forms
    of PHI and categorizes PHI into three major
    “usage” categories: treatment, payment,
    and health care operations and sets up rules
    associated with each use. Uses that fall out-
    side of these categories or that do not
    qualify as any of the exceptions described in
    the rule require an authorization from the
    affected individual. Meanwhile, the HIPAA
    Security Rule establishes standards for pre-
    serving the confi dentiality, integrity, and
    availability of electronic PHI. Specifi cally,
    the Security Rule requires covered entities
    to have appropriate administrative, physi-
    cal, and technical safeguards in place to
    protect PHI and contains detailed security
    requirements for protecting PHI. For
    instance, covered entities must conduct an
    assessment of the risks to and vulnerabili-
    ties of the protected health information.
    These guidelines provide organizations
    with concrete examples of steps needed to
    protect PHI and hence the consumer infor-
    mation in their systems. However, organiza-
    tions should be aware that compliance with
    HIPAA is a minimum standard. As technol-
    ogy continues to change and develop, cir-
    cumstances may require organizations to
    exceed the minimum HIPAA compliance
    requirements to effectively protect consumer
    issues. Smaller banks face on-site visits
    every 12 to 18 months. In 2013, the OCC
    updated its Third-Party Relationship Risk
    Management Guidance to set out expecta-
    tions for risk assessment and management
    of third-party relationships. The senior
    management and boards of banks retain
    responsibility for cybersecurity even when
    third parties are involved. As a result, the
    OCC mandates comprehensive oversight
    and management of third-party relation-
    ships throughout the life of each relation-
    ship. This requires extensive due diligence
    prior to establishing a relationship, execu-
    tion of written contracts that should include
    the right to audit the third party, ongoing
    monitoring, documentation, and reporting
    regarding risk management processes, and
    independent review of processes. Further,
    the OCC requires that third-party contracts
    stipulate that the OCC has the authority to
    examine and regulate the services provided
    to the bank by the third party.
    The fi nancial industry is highly regulat-
    ed, and its consumer protection and cyber-
    security aspects are no exception. Identity
    theft, at its heart, is a consumer protection
    issue. Enforceable security guidelines set
    out by regulators and aimed at the protec-
    tion of consumer information trickle down
    to service providers, as the fi nancial institu-
    tions are affi rmatively charged with manag-
    ing risks associated with vendors and
    service providers. The recommendations
    and requirements of the fi nancial regulators
    make clear that extensive due diligence,
    monitoring, planning, and management are
    required in the quest to take reasonable
    security measures.
    ■ Health care, cybersecurity, and consumer
    Any discussion of consumer protection and
    cybersecurity must include a discussion of
    the health care industry. The Health
    Insurance Portability and Accountability
    Act of 1996 (HIPAA) governs protected
    health information (PHI) maintained by
    various organizations that fall under the
    jurisdiction of HIPAA (covered entities) and

    ■ 134
    This is an important point, because in
    addition to OCR, the FTC considers itself
    empowered to regulate organizations that
    are covered by HIPAA. According to the
    FTC, HIPAA does not preempt the FTC’s
    authority to also regulate covered entities.
    Furthermore, in 2010 the FTC issued the
    Health Breach Notifi cation Rule, which man-
    dates that entities not covered by HIPAA
    that experience a breach of a “personal
    health record” provide notifi cation to the
    affected consumer.
    Covered entities and their business asso-
    ciates must do more than merely “check the
    box” on cybersecurity compliance. If an
    organization faces an OCR investigation, it
    will be required to provide information
    related to its entire data privacy and security
    program, not just information related to the
    “incident” that triggered the investigation.
    Often, organizations are required to provide
    evidence of policies and procedures going
    back several years.
    As part of its efforts to enforce compli-
    ance with HIPAA, OCR conducted security
    audits of covered entities in 2011 and 2012,
    commonly referred to as Phase 1. Although
    Phase 2 was delayed until OCR imple-
    ments a web portal that enables covered
    entities to submit information, in May 2015
    OCR began sending the fi rst surveys of
    Phase 2 audits, so covered entities and their
    business associates should be prepared for
    this next phase. Similar to other agencies,
    OCR intends to audit the cybersecurity
    practices of the organizations that fall
    under its jurisdiction. OCR previously
    announced that it would conduct a pre-
    audit survey of 800 covered entities and
    400 business associates, and from that pool
    select 350 covered entities and 50 business
    associates for a full audit.
    The audits will take place over three years
    and will focus on:
    � Risk analysis and risk management (the
    Security Rule)
    � Notice of privacy practices and access
    rights (the Privacy Rule)
    � Content and timeliness of breach
    notifi cation (the Breach Notifi cation Rule).
    Phase 2 audits will likely not be as compre-
    hensive as the audits in Phase 1 and will
    focus on key high-risk areas OCR learned of
    in its Phase 1 audits.
    Health care information is commonly con-
    sidered the most sensitive and personal
    information a consumer has, and it therefore
    deserves increased security controls. This is
    perhaps recognized by the authority of the
    state attorneys general to enforce HIPAA, a
    provision not found in all federal statutes.
    Numerous states have passed laws specifi –
    cally intended to protect personal health
    information, regardless of whether the
    organization holding such information is
    considered a “covered entity” under HIPAA.
    As health care breaches continue to increase
    in number, organizations should expect
    greater regulatory scrutiny and activity relat-
    ed to their efforts to protect consumer health
    ■ State laws and regulations
    In addition to the federal landscape, busi-
    nesses should be aware that state laws and
    regulations affect consumer protection obli-
    gations. Various states have laws that affect
    specifi c industries and general consumer
    protection laws that may be implicated in
    business practices. This is a growing concern
    with the increase in e-commerce. Businesses
    that in the past would have limited their
    footprint to the jurisdiction of a single state
    now are more likely to encounter customers
    across state lines. Because the applicability
    of state laws affecting consumers and
    because cybersecurity is often triggered by
    the residence of the consumer, even small
    businesses can fi nd that they face unexpect-
    ed multijurisdictional questions.
    ■ Recommendations and conclusion
    Given the wide range of laws, regulations,
    and guidelines—only a few of which could
    be covered here—how do organizations
    begin to navigate these treacherous waters?

    SecurityRoundtable.org 135 ■
    Organizations must build privacy and secu-
    rity into their systems, processes, and ser-
    vices from the ground up and from the top
    down. Education and training for all employ-
    ees should start on day one and be continu-
    ous. The time and effort required to assess
    cyber risk and understand data is minimal
    compared with the potential implications of
    failing to do so. Technology is constantly
    evolving, which means cybersecurity does
    as well, and an organization’s efforts to pro-
    tect consumer information must similarly
    adapt. It is better to have considered a tool
    and rejected it because it substantially
    degrades the service offered than to ignore
    the vulnerability entirely. Organizations
    must face cybersecurity risks as an enter-
    prise and leverage industry experts to guide
    them through this quagmire of laws, regula-
    tions, and threats.

    137 ■
    Fish & Richardson P.C. – Gus P. Coldebella, Principal
    Protecting trade secrets in the
    age of cyberespionage
    The cybertheft of intellectual property (IP) from U.S. com-
    panies has, in the words of former NSA director and Cyber
    Command chief General Keith Alexander, resulted in the
    “greatest transfer of wealth in human history.” And the
    data bear that out: by some estimates, the value of IP stolen
    from U.S. businesses over the Internet alone is $300 billion
    per year—a whopping 6% of our $5 trillion total intellec-
    tual property assets. For certain nations, cyber espionage is
    a central component of their growth strategies: for exam-
    ple, the Report of the Commission on the Theft of U.S.
    Intellectual Property (the IP Commission Report) found
    that “national industrial policy goals in China encourage
    IP theft, and an extraordinary number of Chinese in busi-
    ness and government entities are engaged in this practice.”
    Cyber espionage of IP assets allows companies and coun-
    tries to circumvent the expense and hard work of basic
    research and product development—which could take
    years or even decades—and instead quickly pursue their
    economic agendas based on stolen IP, all to the detriment
    of U.S. businesses, jobs, and economic growth.
    On May 1, 2014, a federal grand jury brought criminal
    charges of hacking, economic espionage, and trade secrets
    theft against fi ve offi cers of China’s military. The hackers
    are alleged to have penetrated the networks of important
    American companies to acquire proprietary and confi den-
    tial technical and design specifi cations, manufacturing
    metrics, attorney-client discussions about upcoming trade
    litigation, economic strategies, and other forms of sensi-
    tive, nonpublic information. What was the object of this
    indictment? Certainly not to get a conviction: the likeli-
    hood of China extraditing the defendants to the U.S. is
    negligible. Instead, the U.S. used the indictment to trans-
    mit two strong signals. First, it sent a message to China:
    that we are aware of this aberrant behavior—in which a
    nation-state aims its espionage apparatus not at another
    country, but at another country’s companies—and that the

    ■ 138
    patent, the registration of a trademark, and the
    creation/publication of copyrighted material.
    Cyberthieves generally set their sights on
    a company’s trade secrets—the one type of
    IP that is not readily available for the world
    to see.
    Some companies keep their trade secrets
    offl ine. Legend has it that one of the most sto-
    ried trade secrets, the formula for Coca-Cola,
    is on a handwritten piece of paper in a safe in
    Coke’s Atlanta headquarters. But air-gapped
    trade secrets are rare in the Internet age. Given
    this, it is crucial for a company to identify and
    locate the trade secrets on its networks, and
    those that are being deposited there in the
    ordinary course of business. Every company
    has such mission-critical secrets: design speci-
    fi cations, chemical formulas, computer code,
    fi nancial algorithms, customer lists, and busi-
    ness plans, to name a few. Finding them is a
    key, and sometimes overlooked, part of a top-
    to-bottom network vulnerability analysis.
    Unless a company knows what trade secrets it
    has and where they are located, it cannot
    begin to secure them.
    Once a company catalogs its online trade
    secrets, it should ask several high-level stra-
    tegic questions: How are they currently safe-
    guarded? Who may access them? What sys-
    tems are in place to alert the company that
    the trade secrets have been exfi ltrated or
    altered? These questions and the protective
    measures developed in response are not only
    important to thwart cyber attackers—but
    also help to prevent all types of attempted
    trade secret theft, whether conducted via the
    Internet or the old-fashioned way. They also
    help to best position the company if it brings
    litigation seeking damages, injunctive relief,
    or other recompense for the theft. Although
    the cybertheft of trade secrets has not yet
    yielded many judicial decisions, law books
    are rife with cases of companies seeking
    damages resulting from current or former
    employees spiriting off trade secrets to their
    next employer or to a competitor. One of
    the central questions in any such litigation
    is: did the company make reasonable efforts
    under the circumstances to protect the
    secrecy of its confi dential information? The
    U.S. will expose this misconduct to the
    world. Second, the indictment sent a mes-
    sage to U.S. companies that, although past
    breaches and legal and reputational risk may
    have convinced boards and management to
    shore up defenses against cyberattacks
    involving ‘personally identifi able informa-
    tion,’ or PII, the most sophisticated attackers
    are interested in other, more mission-critical
    data on companies’ networks—intellectual
    property. The loss of trade secrets could
    cause more harm to a company’s reputation,
    value, and future prospects than a PII breach
    ever could. The U.S. government is signaling
    that companies should focus on taking
    immediate, reasonable steps to defend their
    intellectual property assets.
    In a world where countries persistently
    attack companies and compromise of a com-
    pany’s networks seems inevitable, manage-
    ment may be tempted to throw up their hands
    and concede defeat. There are, however,
    important legal and practical reasons to fi ght.
    In this chapter, we explore reasonable steps
    companies can take to prevent the cybertheft
    of their IP assets, to mitigate the harm of such
    thefts if they occur, and to challenge competi-
    tors that use stolen IP assets to unfairly gain
    an advantage in the marketplace.
    ■ Conducting a trade secrets risk analysis
    So what types of IP are cyber spies after?
    Intellectual property has four broad catego-
    ries: patents, trademarks, copyrights, and
    trade secrets. A trade secret—according to the
    Uniform Trade Secrets Act, or UTSA, adopted
    in some form by 48 states and the District of
    Columbia—is information that gains its actual
    or potential economic value from being not
    generally known and reasonably protected
    from disclosure. Of the four IP types, only
    trade secrets maintain their value, and their
    legal protection as trade secrets, through non-
    disclosure. If a trade secret is not disclosed, the
    economic benefi t it provides and the legal
    protection it enjoys can theoretically last
    forever. If it is disclosed, those advantages can
    be destroyed. Trade secrets stand apart from
    other IP, which gains and maintains its legal
    protection through disclosure: the fi ling of a

    139 ■
    the full set of information needed to replicate
    a targeted invention, product, or service.” A
    company can achieve segmentation in two
    ways detailed by Villasenor: fi rst, by divid-
    ing a trade secret into modules, distributing
    the modules across multiple networks, and
    ensuring that there is no easy path from one
    network to the next; and second, once the
    trade secrets are broken up into modules,
    by allowing employees access only to the
    modules that are relevant to them. Some
    modules can be separated physically and
    allow nearly no user access. For example,
    ‘negative information’—valuable secrets
    about what does not work and is often the
    result of meticulous collection of data through
    extensive, costly research—is not frequently
    accessed in a company’s day-to-day opera-
    tions and therefore can be segmented and
    stored in an extremely limited set of locations.
    Implementing robust access control alongside
    segmentation makes it more diffi cult for an
    adversary to steal a company’s crown jewel
    trade secrets in a single attack, and to ‘spear-
    phish’ its way into accessing some or all of a
    company’s crown jewel data under the guise
    of an authorized user.
    Monitor data fl ow, not just authorization
    Instead of monitoring only for unauthorized
    access, companies should fl ag and investi-
    gate instances and activity of high-volume or
    suspicious data transfers, whether or not the
    transferor is ‘authorized.’ Systems that look
    only for suspicious behavior by unauthor-
    ized users can blind the company to critical
    and common cyberattacks. History shows
    that trade secret theft frequently is carried
    out by authorized users—think about a dis-
    gruntled employee downloading the master
    customer list, or the trading algorithm, right
    before he or she quits to work for a competi-
    tor. In another common scenario, when
    hackers obtain privileged user credentials to
    infi ltrate a company’s network, activity that
    appears attributable to ‘Mike in Accounting’
    may actually be malicious. Systems should
    be designed to monitor the fl ow of key data,
    whether or not it is being accomplished by
    someone with apparent trust.
    reasonable measures identifi ed in these deci-
    sions—such as training employees on trade
    secret protection, requiring employee confi –
    dentiality agreements prior to granting
    access, and revoking access upon termina-
    tion from the company—apply with equal
    force in the cyber context, and companies
    should employ them. Below, we discuss
    additional cyber-specifi c protective meas-
    ures that companies can consider taking.
    ■ Planning for the worst
    Certain adversaries—especially nation-
    states and state-sponsored groups targeting
    U.S. trade secrets—are highly skilled, tech-
    nologically savvy, and persistent. They are
    not trolling for just any IP, and they will not
    be put off by even best-in-class technical
    defenses and move onto the next target
    when their mission is to steal your compa-
    ny’s secrets. Even with reasonable defenses
    in place, companies should assume that an
    attack will eventually be successful, and that
    a company’s IP and trade secrets may be
    compromised as a result. One way compa-
    nies can protect themselves is to consider
    ways, such as the following suggestions, to
    reduce the likelihood that even a successful
    intrusion leads to IP theft.
    Access controls and segmentation
    Companies should implement access con-
    trols on crown jewel data. Although almost
    every employee requires access to certain
    parts of the company’s network, not all of
    them need access to fi les containing trade
    secrets. Not even all employees that require
    access to some trade secrets need access to all.
    A smart access control system makes it clear
    that secrets actually are treated as secrets—
    i.e., only those with a need to know (as
    opposed to everyone with a network pass-
    word) are given access to the data.
    Another related layer of protection is
    ‘trade secret segmentation,’ which, accord-
    ing to John Villasenor in his article Corporate
    Cybersecurity Realism (Aug. 28, 2014), is dis-
    tributing information “so that no single
    cybersecurity breach exposes enough of a
    trade secret to allow the attacker to obtain

    ■ 140
    exercised it. Under such a plan, the fi rst call
    should be to experienced outside counsel,
    who can hire the forensics and crisis PR
    teams to investigate and respond to what
    happened, and who give the results of the
    investigation the greatest chance of being
    considered privileged, which is important as
    the legal and regulatory consequences of
    breaches continue to grow. It is also impor-
    tant—especially with potential trade secret
    theft—to preserve all information surround-
    ing the incident in a forensically sound way.
    For example, collecting and analyzing log
    information may allow a company to deter-
    mine what data were lifted and where they
    were sent, which could be critical in investi-
    gations by law enforcement and in post-
    breach litigation.
    ■ Taking on the IP thieves and their
    benefi ciaries
    Adversaries want to steal your trade secrets
    for a simple reason: to use, sell, and profi t
    from them. Every IP theft contains the
    seeds of unfair competition based upon the
    stolen secrets. Assume the worst has hap-
    pened, and you begin to see the company’s
    hard work or research emerge in the mar-
    ketplace, embedded in a competitor ’s
    product or across the negotiating table.
    What options do you have? We discuss
    fi ve here:
    Misappropriation of trade secrets. The victim
    of trade secret theft may bring an action
    under state law to enjoin the benefi ciary
    of the theft and recover damages. (There
    currently is no federal private right of
    action for misappropriation of trade
    secrets.) As already discussed, most states
    have adopted a version of the Uniform
    Trade Secrets Act, or UTSA. UTSA pre-
    vents using a trade secret of another with-
    out consent if the defendant employed
    improper means to appropriate the secret,
    or “knew or had reason to know that
    his knowledge of the trade secret was
    derived from or through a person who
    had utilized improper means to acquire
    it.” UTSA §§ 1(2)(ii)(A); 1(2)(i). UTSA,
    Mark and tag secrets
    Even in the bygone days of trade secrets
    on paper, companies knew to clearly mark
    their secrets with a legend. This accom-
    plished two things: employees would
    know to handle those secrets consistent
    with the company’s trade secrets policies,
    and if they were stolen, they could be iden-
    tifi ed as the company’s property. Just like
    cartographers of old intentionally included
    fake shortcuts, streets, and even towns to
    immediately recognize misappropriated
    copies of their maps, tagging digital assets
    provides a way to defi nitively prove that
    the IP was originally yours. Today, with an
    array of technological means at hand, com-
    panies can do more, including tagging
    digital IP with code that could, say, render
    stolen fi les inoperable. The IP Commission
    Report correctly recommended that “pro-
    tection…be undertaken for the fi les them-
    selves and not just the network, which
    always has the ability to be compromised.”
    It suggested that:
    Companies should consider marking
    their electronic fi les through techniques
    such as “meta-tagging,” “beaconing,”
    and “watermarking.” Such tools allow for
    awareness of whether protected informa-
    tion has left an authorized network and
    can potentially identify the location of
    fi les in the event that they are stolen.
    Additionally, software can be written that
    will allow only authorized users to open
    fi les containing valuable information. If
    an unauthorized person accesses the
    information, a range of actions might then
    occur. For example, the fi le could be ren-
    dered inaccessible and the unauthorized
    user’s computer could be locked down,
    with instructions on how to contact law
    enforcement to get the password needed
    to unlock the account. (IP Commission
    Report at 81.)
    Collect forensic leads as part of incident response
    Of course, executives must make sure that
    the company has created a robust incident
    response plan and has practiced and

    141 ■
    bureaucratic, that was in the context of
    arguing for a quicker method for U.S.
    companies to seek exclusion. Our experi-
    ence is that § 337 actions tend to be much
    quicker than currently available alterna-
    tives, including state and federal court
    litigation. The ITC process offers U.S.
    companies a powerful weapon against
    importation of goods containing stolen
    trade secrets.
    Computer Fraud and Abuse Act (CFAA).
    Under certain circumstances, the CFAA
    provides a private right of action for com-
    panies to bring suit against a party who
    knowingly and intentionally accesses a
    protected computer without authoriza-
    tion, obtains information, and causes
    harm. 18 U.S.C. § 1030(g). The victim may
    be able to seek damages from not only the
    individual who accessed the computer
    and stole the information but also the
    company profi ting from the stolen trade
    secret so long as the victim can plead and
    prove that the competitor “conspire[d] to
    commit” such an offense (18 U.S.C. §
    Call the feds. A company may refer the
    theft to federal criminal authorities, which
    can bring charges under 18 U.S.C. §§ 1831-
    32 for theft of trade secrets and economic
    espionage. The economic espionage and
    trade secret theft statutes reach not only
    parties who steal the trade secret but also
    anyone who “receives, buys, or possesses
    a trade secret, knowing the same to have
    been stolen or appropriated, obtained,
    or converted without authorization.”
    18 U.S.C. §§ 1831(a)(3); 1832(a)(3). In addi-
    tion to imposing hefty fi nes ($5 million for
    organizations, unless the theft was intend-
    ed to benefi t a foreign government, in
    which case it is $10 million), the law also
    allows judges to force the criminals to
    forfeit “any property, or proceeds derived
    from the stolen or misappropriated trade
    secrets, as well as any property used or
    intended to be used to help steal trade
    secrets.” 18 U.S.C. §§ 1834, 2323(b).
    therefore, allows an action against the
    hacker and the company seeking to ben-
    efi t from the stolen trade secrets, if the
    plaintiff can show that the competitor had
    reason to believe that the data it was
    using were stolen from someone else’s
    network. The remedies available under
    UTSA are powerful and encompass dam-
    ages and injunctive relief. UTSA author-
    izes a court to award damages for actual
    loss and unjust enrichment, including
    multiple damages if the misappropriation
    was “willful and malicious.” UTSA §§
    3(a); 3(b). A court also may enjoin actual
    or threatened misappropriation or may
    condition the competitor’s future use of
    the trade secret on payment of a reasona-
    ble royalty. UTSA §§ 2(a); 2(b).
    Section 337 of the Tariff Act of 1930. To sty-
    mie competitors that import their prod-
    ucts into the U.S., a potent option is to
    initiate a process at the International Trade
    Commission (ITC) under Section 337 of
    the Tariff Act of 1930. A company may
    petition the ITC to investigate whether
    imported goods are the result of “unfair
    methods of competition”—which includes
    incorporating stolen trade secrets—so
    long as the unfairness has the potential
    to injure or destroy a domestic industry.
    19 U.S.C. § 337. Because § 337 investiga-
    tions are brought against goods, not par-
    ties, there is no need to prove that the
    specifi c company profi ting from the stolen
    data was actually behind the cyberattack,
    only that the product was made or devel-
    oped using misappropriated trade secrets.
    Even though the ITC cannot award dam-
    ages under § 337, the remedy it can issue
    is potent against any company seeking to
    import misappropriated products in the
    U.S.: it can issue an order, enforceable
    by Customs and Border Protection, pre-
    venting goods from entering the country
    and enjoining sale of such products
    already here.
    Although the IP Commission has criti-
    cized the § 337 process as too lengthy and

    ■ 142 SecurityRoundtable.org
    Of course, there are always pros and cons to
    be weighed before bringing civil litigation
    or involving federal law enforcement
    authorities. For example, law enforcement
    has a greater array of tools to compel pro-
    duction of evidence quickly, unlike in a civil
    suit, although a parallel criminal action
    may affect the company’s ability to seek
    civil discovery if the defendants seek a stay
    or exercise their Fifth Amendment right not
    to testify. There are also practical and busi-
    ness considerations that may argue for or
    against such a suit, including its potential to
    affect existing or future commercial rela-
    tionships and continued access to foreign
    Future action: Report cyberspies and their
    benefi ciaries under Executive Order 13694.
    In response to high-profi le cyberattacks,
    the President and the federal government
    recognized that cyber espionage is a seri-
    ous threat to the nation’s economy and
    national security but acknowledged that
    it is not always possible to take criminal
    or civil action against perpetrators
    because they are often outside the juris-
    dictional reach of U.S. courts. For that
    reason, the U.S. has devised another
    method for reaching these malefactors,
    punishing them for their actions, and
    deterring future attacks. On April 1, 2015,
    the President signed Executive Order
    13694, authorizing the Offi ce of Foreign
    Assets Control, or OFAC, within the
    Treasury Department, to (i) identify for-
    eign hackers, the parties who aid them,
    and the parties who benefi t from their
    activity by using their stolen information
    to profi t and (ii) respond by freezing their
    U.S. assets and imposing sanctions. OFAC
    will add foreign individuals identifi ed as
    being responsible for, contributing to,
    complicit in, or profi ting from signifi cant
    malicious cyber-enabled activities to its
    list of Specially Designated Nationals
    (SDNs). To earn a spot on the SDN list, the
    associated attack has to be “reasonably
    likely to result in, or have materially con-
    tributed to, a signifi cant threat to the
    national security, foreign policy, or eco-
    nomic health or fi nancial stability of the
    United States.” Although OFAC cannot
    assist a company with recovering lost
    information or barring products from
    entering the market, reporting the perpe-
    trators of particularly serious cyberat-
    tacks to OFAC can serve as a powerful
    deterrent. It is important to note that E.O.
    13694 is, at the writing of this chapter, so
    new that OFAC has yet to promulgate
    fi nal regulations governing the SDN-
    designation process, so companies should
    consult with counsel to understand their
    options once fi nal rules are in place.
    ■ Conclusion
    Trade secrets are high on the list of assets
    that cyber spies are interested in stealing.
    Careful planning will help your company do
    its best to prevent the theft of these valuable
    assets and to thwart a competitor’s attempt
    to profi t from its crimes if an attack is suc-
    cessful. If the worst-case scenario material-
    izes and you discover that your company’s
    IP has been stolen, take immediate steps to
    engage experienced outside counsel to assess
    your best options to investigate the breach,
    recover damages, enjoin unfair competition,
    and seek justice.

    143 ■
    Latham & Watkins LLP – Jennifer Archie, Partner
    Cybersecurity due diligence in M&A
    transactions: Tips for conducting
    a robust and meaningful process
    To begin with a tautology, when you buy a company, you
    buy their data—and the attendant risks to that data.
    Cybersecurity risks are not limited to consumer-facing
    businesses, whose recent losses of cardholder or patient
    data grab news headlines. Indeed, few businesses today
    have assets and liabilities that are not in some sense data
    driven. For most business combinations—whether M&A,
    joint venture, or leveraged buyout—cybersecurity should
    be a risk category in its own right. Buyers should review
    not just historic breaches but also cybersecurity risk man-
    agement. Even though these risks are hard to quantify, the
    analysis will inform deal terms, deal value, and post-deal
    indemnity claims.
    ■ First step: Get an early read on cyber readiness
    at the engagement stage
    Buyers should begin all cybersecurity risk assessments
    early in the engagement process, with the goal of clearly
    articulating as early as possible the target company’s
    most important information assets, systems, and busi-
    ness processes. Every target business should be able to
    readily identify which information technology (IT) sys-
    tems and data sets are most valuable to the business and
    explain at a high level how the company protects and
    exploits them. Even at the earliest stages, the seller
    should be prepared to identify and discuss the following
    at a high level:
    � What types of information or computer systems and
    operations are most important to your business? What
    sensitive types of data do you handle or hold relating
    to natural persons (which data elements in particular)?
    � Where is sensitive information stored?
    � How is it protected in transit, at rest, and in motion?
    � What are the most concerning threats to information,
    networks, or systems?

    ■ 144
    government investigations from the Federal
    Trade Commission (FTC) or other agencies
    may be poorly understood. Federal investi-
    gations tarnish brands, especially if enforce-
    ment results. Investigations are expensive
    and distracting, and may lead to a sweeping
    10- or 20-year permanent injunction dictat-
    ing how future information security will be
    managed and monitored. Compliance with
    such a decree is expensive and limits a com-
    pany’s independence and fl exibility in sig-
    nifi cant ways. After a breach, management is
    often surprised to learn how persistent and
    aggressive the FTC or state attorneys general
    can be, even if the company sees itself as a
    victim of harm, not a perpetrator of con-
    sumer injury. If the target’s legal or business
    representatives are not knowledgeable about
    the regulatory and enforcement environ-
    ments, buyers should not place much weight
    on a seller’s lulling statements or assurances
    that there have been no incidents or that risk
    of a cyber event is low.
    ■ Check for integrated cyber risk awareness
    and mitigation and a comprehensive security
    management program
    Another sign of a mature security program
    is a management team with cross-function-
    al awareness on these points at the CEO
    and board levels, as refl ected in board min-
    utes or other documentation. A security
    program will not be effective if it is a silo
    inside the IT or information security func-
    tions. All substantial stakeholder depart-
    ments should be involved in cybersecurity
    risk management, including business unit
    leaders, legal, internal audit and compli-
    ance, fi nance, human resources, IT, and risk
    Diligence questionnaires should ask the
    target company to generally summarize the
    administrative, technical, and physical infor-
    mation security controls currently in place to
    safeguard the most critical business data sets.
    Such controls include technical measures
    (such as boundary and malware defense,
    data encryption, intrusion detection systems,
    anomalous event monitoring, and access
    controls), administrative measures, and
    � Have there been prior incidents?
    � What is the cybersecurity budget?
    � What are your recovery plans if
    critical information or systems become
    If the front line deal-facing personnel
    respond, “I don’t know, I’d have to ask,” this
    is a telling and interesting sign that the target
    company’s security management program is
    likely not well integrated into the senior
    leadership ranks. Sellers thus should be pre-
    pared in early discussions to showcase a
    sophisticated understanding of data security
    risks and how those risks may materially
    affect the company’s operations, reputation,
    and legal risks (or not). A buyer’s key dili-
    gence objective should be to probe and test
    whether the target company has imple-
    mented a mature risk management organiza-
    tion to evaluate the accuracy of management
    assurances about lack of historical breaches,
    payment card industry (PCI) compliance,
    protections against competitor or insider
    theft, and business continuity. Too often in
    hindsight, a target’s statements made in dili-
    gence turn out to have been good faith
    impressions, or even merely aspirational or
    refl ective of paper policy, but not operational
    ■ Tailor diligence to what types of information
    are handled and how important is
    information security to the bottom line
    Beyond these general questions, the buyer
    should directly probe whether the target
    management has a sophisticated under-
    standing of potential cyber-related liabilities
    and the regulatory environment. Unlike
    environmental or traditional fi re or natural
    disaster scenarios, cyberattack-related liabil-
    ities are multi-faceted and unique. In some
    industries—such as energy, transportation,
    fi nancial institutions, health care, defense
    contracting, education, and telecommunica-
    tions—government oversight can be active
    and intrusive, and the target’s subject matter
    expertise will likely reside within the legal,
    compliance, and/or IT functions. In other
    industries, however, exposure to costly

    145 ■
    been adopted, budgeted and scheduled, or
    already implemented.
    For companies whose vendors hold com-
    pany-sensitive data or access systems, the
    company should have implemented—prior
    to engaging in a business relationship—a
    formal vendor management program that
    specifi cally assesses risk and identifi es
    potential security or data privacy concerns
    and appropriate remediation next steps.
    After a decision to engage, the company
    should mitigate data security risks through
    written agreements and supervision. These
    third parties should have data security
    insurance coverage and/or the agreements
    should require such a party to defend and
    indemnify the target company for legal lia-
    bility arising from any release or disclosure
    of the information resulting from the negli-
    gence of the vendor or other third party.
    Third-party agreements involving data
    exchange or access also should articulate
    breach notifi cation procedures, cooperation
    levels, information sharing, and expressly
    assign incident control and reporting
    Cloud-based or other software-as-a-
    solution (SAAS) solutions as well as mobile
    devices present their own cybersecurity risks
    and should not be overlooked in diligence.
    Does the company permit employees to use
    cloud-based fi le-sharing services? Does it
    rely on SAAS solutions for critical or other
    business needs such as contact relationship
    management or HR? Email? How are the
    security and compliance risks presented
    being managed? Companies that issue or
    support mobile devices should have policies
    and procedures in place designed to protect
    sensitive information in those environments.
    ■ Use subject matter experts to assess cyber
    readiness and liabilities
    Given the importance of the above ques-
    tions, the buyer should pay careful atten-
    tion to who asks these questions on behalf
    of the buyer or underwriters, in what set-
    tings, and with what time allowances. Put
    simply, deal teams ideally should embed
    subject matter experts on the business side,
    physical security. The company should have
    a current documented crisis management/
    incident response plan in place, including
    pre-staging of legal and forensic experts and
    a public relations strategy, all approved by
    senior management. A seller should specifi –
    cally inquire about and assess what fi nancial
    resources are applied to data security, in the
    context of the target’s overall approach to
    risk containment and specifi c to its industry.
    Also, sellers should ask the following to
    gather detailed information about how the
    company has organized the management of
    cybersecurity and risk:
    � Is there a single designated person with
    overall responsibility? To whom does he
    or she report? (Risk Offi cer? CTO? CIO?
    � Describe board oversight. Have directors
    and senior managers participated in data
    security training/been involved in the
    development of data security protocols?
    � Does the company have legal counsel
    regularly advising on data security
    compliance? Is counsel internal or
    external, and if external, who?
    � How does the company educate and train
    employees and vendors about company
    policies, information security risks, and
    necessary measures to mitigate risk?
    � How can employees or members of the
    public (such as independent security
    researchers) report potential vulnerabilities/
    breaches, including irregular activity or
    � What is the plan to recover should critical
    or other necessary systems become
    unavailable? What are the recovery point
    and recovery time objectives? How have
    these and other elements of the plan been
    correlated to business needs?
    If the company has in the last year or two
    completed an internal or external audit or
    assessment to determine compliance with
    company security policies and/or external
    security standards, this should be requested,
    or at a minimum the target company should
    report whether all recommendations have

    ■ 146
    network. The attacker then acquired elevat-
    ed rights that allowed it to navigate portions
    of the company’s systems and to deploy
    unique, custom-built malware on self-check-
    out systems to access the payment card
    information of up to 56 million customers
    who shopped at U.S. and Canadian stores
    between April 2014 and September 2014. In
    fi scal 2014, alone, Home Depot recorded $63
    million in pretax expenses related to the data
    breach, partially offset by $30 million of
    expected insurance proceeds for costs
    believed to be reimbursable and probable of
    recovery under insurance coverage, result-
    ing in pretax net expenses of $33 million.
    What this sort of fi nancial and reputa-
    tional exposure means for M&A diligence
    within the retail sector is that buyers should
    devote expert and highly substantive atten-
    tion to how cardholder data are collected,
    stored, handled, and secured. Payment pro-
    cessing services are material to all retail
    businesses, and all payment processing
    agreements have PCI compliance as a mate-
    rial term. So just as the SEC always wants to
    know about where that relationship stands
    in its review of risk factors, buyers too want
    to pay special attention in this area. If PCI
    compliance is lacking, the seller should at
    least be able to disclose a specifi c remedia-
    tion timeline and a budgeted plan that is
    hopefully supervised and accepted by the
    payment processor.
    PCI compliance handled correctly is costly
    and involves constant adaptation and opti-
    mization to new threats and new standards.
    It is not an annual “check-a-box” process.
    Within the data security space—as was true
    for Home Depot, Target, and many others—
    good business practice assumes that a com-
    promised merchant will have a recent,
    valid, self-certifi cation or even third-party
    certifi cation of PCI compliance. However, a
    buyer should not rely simply on the inclusion
    of such a report or certifi cate in a virtual data
    room. Many a breached retailer has held a
    current PCI certifi cation. Accordingly, the
    buyer should always test the security of
    cardholder data independently, at a process
    the technical side, and even the legal side
    early on—to do the following:
    � Pose questions orally
    � Follow up with document requests
    � Assess the documentation
    � Conduct on-site testing and analysis
    where appropriate
    � Assess and advise on the maturity
    and suitability of the program to the
    underlying data risks
    � Review and advise on deal terms or costs
    to remediate gaps in compliance or risk
    Very importantly, the deal team also must be
    nimble and focused upon the specifi c indus-
    try, because cybersecurity risks are highly
    variable across industry sectors; threats,
    liabilities, and government expectations for
    adequate security are evolving constantly.
    For example, if hackers acquire and then re-
    sell large databases of cardholder data to
    identity thieves—as happened to Target and
    Home Depot—the types of expenses and
    liabilities a buyer could expect are well doc-
    umented in SEC fi lings. Expenditures
    include the following:
    � Costs to investigate, contain, and remediate
    damaged networks and payment systems
    and to upgrade security
    � Liability to banks, card associations, or
    payment processors for fi nes, penalties,
    or fraudulent charges
    � Card reissuance expenses
    � Expense of outside legal, technical, and
    communications advisors.
    ■ For retail sector, diligence surrounding
    PCI compliance should seek more than
    a “yes” or “no” response
    Buyers of companies who accept, process,
    store, or handle cardholder payment data
    streams of course will want to pay particular
    attention to compliance with current PCI
    standards. At Home Depot, for example, an
    attacker used a vendor ’s username and
    password to gain access to Home Depot’s

    147 ■
    email and no way to process employee
    benefi ts or time cards (Source: http://www.
    tack-on-sony-60-minutes/). To add insult to
    injury, much of the exfi ltrated material is
    now readily available (and free text search-
    able) on WikiLeaks.
    The potential for outright theft of intellectu-
    al property by competitors should not be over-
    looked. In DuPont v. Kolon (United States v.
    Kolon Industries, Inc. et al.), for example, the
    manufacturer of Heracron, a competitor prod-
    uct to DuPont’s Kevlar, misappropriated
    DuPont’s confi dential information by hiring
    former DuPont employees as consultants and
    pressuring them to reveal Kevlar-related trade
    secrets. DuPont sued the competitor, Kolon, in
    2009, and in 2012 the Department of Justice
    brought criminal trade secret misappropriation
    charges against Kolon and fi ve of its executives
    pursuant to 18 U.S.C. § 1832. In light of the
    parallel charges, Kolon settled, paying $360
    million in damages—$85 million in fi nes and
    $275 million in restitution. (Source: Department
    of Justice Offi ce of Public Affairs, http://www.
    trade-secrets). To assess these sorts of risks,
    acquirers should ask:
    � Are there former employees who had
    access to critical intellectual property or
    other company confi dential information
    who have recently left for competitors?
    � What agreements are in place to protect
    the proprietary information they have?
    U.S.-based businesses, academic institutions,
    cleared defense contractors, and government
    agencies increasingly are targeted for eco-
    nomic espionage and theft of trade secrets by
    foreign competitors with state sponsorship
    and backing. In the last fi scal year alone,
    economic espionage and theft of trade
    secrets cost the American economy more
    than $19 billion. According to the FBI,
    between 2009 and 2013, the number of
    arrests related to economic espionage and
    theft of trade secrets—which the FBI’s
    level if necessary. The same security consult-
    ants who arrive post-breach to assess root
    cause and damage can examine card-related
    data security very meaningfully in the M&A
    setting, even with only a few days of on-site
    interviews and document collection. If PCI
    compliance concerns arise in diligence, deal
    terms can be arranged that mandate and
    appropriate funding for third-party inde-
    pendent assessments and implementation of
    recommendations. Moreover, many retailers
    now are migrating to new payment systems,
    and this is a unique technology risk because
    of the likelihood of delay, interruptions, and
    budgetary over-runs.
    ■ Understand and assess awareness
    and mitigation of risks of trade secret
    theft, nation-state espionage, and denial
    of service attacks
    Beyond payment card security risks, theft of
    trade secrets by competitors and insiders,
    state-sponsored espionage that is exploited
    for economic advantage, and cyberattacks
    that disable or cripple corporate networks
    are less publicized but can be equally dam-
    aging to a target business. For example, the
    high-profi le, studio-wide cyberattack at
    Sony Pictures in November 2014 at the
    hands of a group calling itself #GOP, aka
    the Guardians of Peace, starkly illustrates
    the potential to cripple a business. The
    attack, which the FBI attributed to North
    Korea, resulted in the theft of terabytes of
    company internal email and documents,
    release of unreleased movies to fi le-sharing
    networks, deletion of documents from Sony
    computers, threatening messages to the
    company and individual employees, theft
    and apparent exploitation of sensitive
    human resources data, and a near complete
    and prolonged disruption of the company’s
    ability to transact business and communi-
    cate electronically over its networks and
    systems. In an interview with CBS News,
    Sony’s outside cyber investigator, Kevin
    Mandia, disclosed that 3,000 computers and
    800 servers were wiped, and 6,000 employ-
    ees were “given a taste of living offl ine”—no

    ■ 148
    � What is known about the attackers and
    the attack vector?
    � What data do you suspect or know were
    � How long between the fi rst known
    intrusion and discovery of the incident?
    � Do you suspect or know whether the thief
    or intruder attempted or made fraudulent
    or competitive use of exfi ltrated data?
    � During the past three years, have you
    experienced an interruption or suspension
    of your computer system for any reason
    (not including downtime for planned
    maintenance) that exceeded four hours?
    A buyer should assess a target’s measures to
    prevent and detect insider threats, including
    whether basic protections are in place to
    identify and mitigate insider threats, such as
    the following:
    � Pre-employment screening via dynamic
    interviews, background checks, and
    reference checking
    � Workforce education on warning signs
    � Internal network security measures such
    as website monitoring, blocking access
    to free (unauthorized) cloud-storage sites
    such as Dropbox, turning off USB drives
    � Automated monitoring of Web, deep
    Web, or peer-to-peer network searching
    for leaked data.
    Private and state actors have made use of
    denial of service attacks to disrupt the busi-
    ness of a company that meets with their disap-
    proval (or as an extortion scheme). Material
    impact on ecommerce, on-line entertainment,
    email, and other critical systems are the result.
    An acquirer might reasonably ask:
    � Has the target company evaluated its
    exposure to such attacks?
    � What measures does it have in place to
    defend itself?
    � How would it know if such an attack was
    � Have any such attacks occurred?
    Economic Espionage Unit oversees—at least
    doubled, indictments more than tripled, and
    convictions increased sixfold. These num-
    bers grossly understate the frequency of
    such attacks or losses. Last year, the United
    States Department of Justice indicted fi ve
    Chinese military hackers on charges includ-
    ing computer hacking, identity theft, eco-
    nomic espionage, and trade secret theft
    from 2006 to 2014. The alleged actions
    affected six U.S.-based nuclear power,
    metal, and solar product companies. The
    indictment, fi led May 1, 2014, alleges that
    the defendants obtained unauthorized
    access to trade secrets and internal commu-
    nications of the affected companies for the
    benefi t of Chinese companies, including
    state-owned enterprises. Some defendants
    allegedly hacked directly—stealing sensi-
    tive, nonpublic, and deliberative emails
    belonging to senior decision makers, as
    well as technical specifi cations, fi nancial
    information, network credentials, and stra-
    tegic information in corporate documents
    and emails—while others offered support
    through infrastructure management. Charges
    were brought under 18 U.S.C. §§1028, 1030,
    1831, and 1832. (Source: Department of Justice
    Offi ce of Public Affairs, http://www.justice.
    g o v / o p a / p r / u s – c h a rg e s – f i v e – c h i n e s e –
    Many companies choose not to publicly
    disclose or discuss these sorts of attacks or
    disruptions, which may go undiscovered for
    many months and often years. Even when
    attacks are discovered, breaches may not be
    reported to law enforcement or even to
    affected commercial partners. Questions
    about historical incidents during due dili-
    gence therefore should be open-ended but
    also very direct:
    � Have you suffered thefts of confi dential
    data (wherever stored)?
    � Has your network suffered an intrusion?
    � Did you retain outside experts to

    SecurityRoundtable.org 149 ■
    buyers should closely examine policies for
    what is covered, deductibles, coverage peri-
    ods, and limits. Diligence experts should
    also evaluate post-closing opportunities to
    enhance the insurance program if signifi –
    cant unmitigated risks of third-party liabili-
    ties or direct expense from an attack have
    been identifi ed.
    ■ Conclusion
    If there was ever an era when minimizing
    or commoditizing assessment of cybersecu-
    rity risks in the M&A space was sensible,
    that time has surely passed. Expertise in
    assessing data-driven risks should be
    embedded on the front end of every transac-
    tion and tracked throughout the deal, so
    that deal terms, deal value, and post-closing
    opportunities to strengthen security can
    be considered against a fully developed
    factual picture of the target company’s
    cyber readiness and exposure.
    ■ Assessing cyber insurance
    Finally, buyers should evaluate the extent
    to which cyber risks are mitigated by
    insurance coverage, including whether
    enhancements to the cyber program may be
    available post-closing. Most cyber insur-
    ance policies today cover the data breach
    and privacy crisis management expenses
    associated with complying with data breach
    notifi cation laws. Those costs include the
    costs of expert legal, communications, and
    forensic advisors, benefi ts such as credit
    repair or monitoring to affected individu-
    als, and even costs of responding to govern-
    ment investigations or paying fi nes. Cyber
    coverage is also widely available for extor-
    tion events, defacement of website, infringe-
    ment, and network security events, even
    arising from theft of data on third-party
    systems or malicious acts by employees.
    Because of the volatility and variability of
    the cyber insurance market at this time,

    151 ■
    Kaye Scholer LLP – Adam Golodner, Partner
    International infl ection point—
    companies, governments,
    and rules of the road
    In the attorney general’s conference room at the United
    States Department of Justice is a mural on the ceiling—on
    one end a heavenly depiction of justice granted, and on
    the other a depressing tableau of justice denied. These
    images help remind us that principles matter, choices
    matter, and in many situations divergent outcomes are
    possible. We are at this kind of infl ection point in global
    cyber. Technology, software, hardware, and physical and
    social networks are embedded everywhere today. Into the
    future the Internet of Things and the Industrial Internet
    will bring the next wave of global hyper connectedness
    and drive business innovation, new markets, effi ciency,
    and consumer benefi ts globally. Every business today is a
    technology business, and every society increasingly a
    technology society. We all benefi t from it. It is good. The
    world has changed, but it has also stayed the same.
    In some sense, cyber issues are not new. They are the
    same issues countries and societies have been dealing
    with for centuries—theft, fraud, vandalism, espionage,
    and war. Over time, societies have created rules to deal
    with these domestically and globally. But cyber presents
    new facts. Activities and incidents happen at machine
    speed, and distance hardly matters. Masking who you are
    is easier. Some seemingly anonymous person can reach
    out and touch you instantaneously from anywhere. The
    kind of information we collect is quantitatively and quali-
    tatively different than the past. We must appreciate and
    understand these facts and what they mean.
    With a future of embedded everything and hyper con-
    nectivity, we have to create acceptable ‘rules of the road’
    that ensure we get the promise of the future, not a world
    where governments or individuals turn that promise on
    its head and abuse the very same connectedness. Countries
    and companies have to defi ne acceptable ‘rules of the
    road’ for behavior in cyberspace—what’s okay and not
    okay for governments to do to each other, companies, and

    ■ 152
    strategies, and next generation innovation
    from U.S. companies, with that very same
    stolen intellectual property being given by
    the governments that stole it to favored
    domestic champions for the purpose of com-
    peting against that very same victim of the
    theft. Companies share these concerns. No
    company wants to have its operations,
    brand, or competitive advantage under-
    mined or destroyed. Despite these concerns,
    nation-state, non-nation-state, hacktivist,
    and criminal activity continues. In fact by all
    accounts it’s increasing in all categories
    across the governmental and commercial
    Although some policy makers have begun
    to talk about cyber ‘norms,’ there has not
    been sustained multi-lateral head-of-state to
    head-of-state work to set rules of the road.
    However, it has to begin. The issues are big
    enough and complex and signifi cant enough
    that we have to set the right path now. We
    can build rules that the majority of the fam-
    ily of nations can agree to and then bring the
    outliers along. Most commentators are of the
    view that a formal treaty is premature, if it
    ever makes sense. This sounds right to me.
    However, the time is right to up-lever the
    conversation to the head of state level and
    convene the heads of state of some core
    countries (such as U.S., U.K., Germany, France,
    Sweden, Estonia, India, Brazil, Japan, Korea,
    Australia, Canada) to start to build out
    offensive, defensive, law enforcement, and
    commercial rules of acceptable behavior. Of
    course, other countries, such as China, could
    join in short order if it turns out they are in
    fast agreement, but the work of building out
    the core should move ahead without waiting
    for everyone to be on board. An additional
    benefi t of doing this is that it reduces the
    impulse of countries to complain about the
    activities of other countries when the activity
    at issue is one that all countries fi nd to be
    acceptable, and in the converse, gives weight
    to complaints about activities outside of the
    Why should companies care? Why should
    they be integral to these discussions? First,
    companies own the enterprise networks and
    individuals in cyberspace. Analogies can
    and should be made to longstanding princi-
    ples relating to theft, fraud, vandalism, espi-
    onage, and war—and how countries deal
    with each other on these issues. After all,
    technology is a tool; we have had tools in the
    past, and we have applied age-old principles
    to new tools throughout history. However,
    the pace of change is accelerating. That
    means we need to move fast to apply new
    facts to old principles now and help shape
    the future. Like the mural on the ceiling on
    the attorney general’s conference room, dif-
    ferent future outcomes are possible. What
    principles and rules will secure goodness
    into the global technology future? What are
    the roles of companies, boards of directors,
    and CEOs in shaping that future? We discuss
    these questions in this chapter.
    There are three areas in which companies
    and their leaders can help: rules of the road,
    cyber laws globally, and security and privacy.
    ■ Rules of the road
    Cyber is a top issue for the U.S., E.U. Member
    States, China, India, Russia, Brazil, Australia,
    and Japan, and the heads of state in each of
    these countries spend signifi cant time on the
    issue. For the last three years the U.S. has
    said that cyber is the number one national
    security threat to the U.S.—not nuclear, bio-
    logic, or chemical, but cyberthreat. All these
    countries view cyber as a national security
    and economic security issue. In national secu-
    rity, cyber is both an offensive and a defensive
    issue. On the offensive side, cyber tools and
    techniques can be a means of espionage, war,
    or deterring a threat. On the defensive side,
    conversely, countries are concerned that
    companies in critical infrastructure sectors
    (fi nancial, communications, defense, electric,
    energy, transportation, health care, chemical,
    public services) can have their operations
    affected, data compromised or destroyed,
    or public safety threatened—in effect, bring-
    ing important segments of the economy
    to a halt.
    U.S. policy leaders also are highly con-
    cerned about other nation-states stealing
    core intellectual property, business and deal

    153 ■
    security? What tools in the toolbox are
    acceptable to curb behavior—prosecution,
    sanctions, trade, covert action? Is it OK for
    national security services to steal intellectual
    property of companies? Is it OK for intelli-
    gence services to give it to competitors?
    What collection of information of or about
    individual citizens of another country is
    acceptable or unacceptable? What is the
    standard? What collection on other govern-
    ments and their leaders is acceptable?
    Most of these questions have some
    grounding in existing principles and laws,
    but the cyber facts have to be understood
    and applied to start to enunciate these
    rules of the road. Although work has cer-
    tainly begun on cyber ‘norms,’ the time is
    right for taking the work to the next level.
    Furthermore, because the playing fi eld is
    made up of private networks and elements
    of technology services and products, the
    outcomes should by defi nition be of inter-
    est to companies, CEOs, and boards of
    directors. Good rules of the road should
    help build trust in networks and technolo-
    gy globally. So, companies should engage
    in helping set the global rules of the road
    today. It affects their future.
    ■ Cyber laws globally
    Given that cyber runs the gamut from
    national security concerns to consumer pro-
    tection, and countries around the world
    have different values and interpretation of
    what laws protect their country and citizens,
    it should come as no surprise that companies
    doing business globally will face a myriad of
    sometimes divergent laws on a range of
    cyber topics.
    An in-depth review of these laws is
    beyond the scope of this chapter, but it is
    important to note the categories in which a
    company, CEO, general counsel, and per-
    haps even the board must understand that
    their activity may trigger a compliance issue
    or affect their ability to provide a product or
    With regard to compliance and security,
    there is a saying that ‘compliance does not
    equal security.’ There is no doubt that driving
    databases in which cyber activity takes
    place—domestic companies and global com-
    panies. Companies own the software, hard-
    ware, the information, and the upstream and
    downstream relationships where this contest
    takes place. Think of the Internet—every lit-
    tle bit of it is owned by somebody, and the
    vast majority is owned by public companies
    globally. Although cyber is the fi fth fi ghting
    domain (along with land, sea, air, and space),
    it is the only one owned essentially by pri-
    vate companies. Second, information tech-
    nology and communications services and
    products are created and sold by the private
    sector. If a government acts on those services
    or products, it acts on services and products
    with a private sector brand. The same brand
    used by other companies. Third, the future
    of the global interoperable, open, secure,
    network is at stake. Will companies be able
    to continue to drive innovative business
    models, or will they be stifl ed by the rules
    and activities of governments, hacktivists,
    and criminals playing in their playing fi eld?
    Here are some ‘rules of the road’ that
    should be in play. What cyber activity is an
    act of war? What cyber activity is acceptable
    espionage? What is cyber vandalism, and
    what is the appropriate response? What
    activity by a nation-state is acceptable on a
    bank, stock exchange, energy, transporta-
    tion, electric, or life sciences company? What
    if it’s a non-nation-state activity? What action
    is acceptable to proactively stop a planned
    cyber activity? What principles should ani-
    mate the decision to use a cyber tool of war
    on a target connected to the Internet? Is it
    OK to deliver cyber means through private
    networks or technologies? What is an accept-
    able response to another country’s cyber or
    kinetic act? What are the principles for dis-
    closing or stockpiling zero-day vulnerabili-
    ties or interdicting a supply chain? How can
    we make global assurance methodologies
    such as the Common Criteria for Information
    Technology Security Evaluation (Common
    Criteria) for products even more useful?
    Should there be requirements for govern-
    ments to share cyberthreat information with
    other countries and companies to improve

    ■ 154
    data localization (Russia), U.S.-E.U. Safe
    Harbor (allowing for transfer of E.U.
    privacy information to U.S.)
    � speech and content: protection (U.S.
    Constitution), limits (France, Germany,
    Russia, China)
    � consumer protection: unfair or deceptive
    security practices (U.S. FTC)
    � criminal law: laws against hacking
    (U.S. CFAA, Budapest Convention on
    Cyber Crime, many countries), mutual
    legal assistance (MLATs) (U.S. and many
    countries for cross-border investigation
    and extradition)
    � multilateral agreements: Wassenaar
    arrangement (obligation to limit export
    of dual-use technologies, including
    security), mutual defense treaties (e.g.,
    NATO and Article 5 cyber obligations),
    WTO and technical barriers to trade
    agreement (obligation of WTO members
    to use international standards, including
    technology), WTO government procurement
    agreements (many countries, rules opening
    government procurement markets for
    foreign tech products).
    Over the past decade there have been many
    skirmishes to try to limit the impact of pro-
    posed laws that would splinter the global
    market for technology products and servic-
    es and protect the ability of companies to
    continue to drive innovation in products
    and services. Particularly in the post-
    Snowden world, where trust of countries
    and technologies has been strained, compa-
    nies must pay particular attention to legis-
    lative and regulatory proposals that would
    undermine the global interoperability or
    security of the network, or use security as a
    stalking horse to protect or promote domes-
    tic manufacturers.
    ■ Security and privacy
    As technology and economics continues to
    drive connectivity, cloud, mobility, data ana-
    lytics, the Internet of Things, and the
    Industrial Internet, we must deal effectively
    with security and privacy. It’s not just the
    Snowden effect. People are still working
    to ‘real security’ is the goal, and one that will
    likely get you where you need to be for com-
    pliance as well.
    Here is a list of categories of laws to be
    concerned about and a few specifi c-use
    � infrastructure security: voluntary public-
    private partnerships (U.S., U.K.), regulation
    of critical infrastructure (China, pending
    in E.U., pending in Germany), sector-
    specifi c regulation (India telecoms, U.S.
    chemical, Russia strategic industries)
    � incident notifi cation: data breach (U.S.
    in 47 states, E.U. telecoms, pending new
    E.U. Privacy Directive), SEC disclose
    material adverse events (U.S. SEC)
    � tort, contract, product liability: in the
    absence of specifi c regulation, a company
    must use ‘reasonable care’ to secure
    their and third-party data, continue to
    provide service, build secure products,
    and protect IP (U.S., E.U., India and for
    contract, globally)
    � board of directors corporate: the board
    must use its ‘business judgment’ to secure
    the assets of the company and provide
    reasonable security (U.S.)
    � acquisition of information by nation-
    states: lawful intercept telecoms (most
    countries), requests from non-telecoms by
    judicial or administrative process (most
    countries), collection outside of home
    country (most countries)
    � technology controls, national security
    reviews, and certifications: export
    control commercial technologies (U.S.),
    export control of military technologies
    ITAR (U.S.), certifi cation of IT product
    (26 countries Common Criteria evaluation,
    China own requirements, Russia own
    requirements, Korea pending), import
    restriction on encryption (China, Russia),
    in-country use of encryption (China,
    Russia), national security reviews for
    M&A (U.S. CFIUS & FCC, China).
    � privacy: economy-wide limits on
    collection and transfer of information
    about individuals (E.U.), sector specifi c
    (U.S. health care HIPAA, fi nancial GLB),

    SecurityRoundtable.org 155 ■
    questions companies can and should ask
    when providing service, domestically, but
    particularly globally. There no doubt is com-
    petitive advantage in providing solutions
    that don’t raise privacy concerns.
    ■ Conclusion
    Cyber is by defi nition a global issue for any
    company, CEO, and board. The company’s
    networks are global, products are global,
    and adversaries are global. Furthermore, the
    company must have relationships with gov-
    ernments globally. Many companies are
    ‘global citizens’ and have a majority of their
    sales outside their home country. Where the
    cyber issue is in the top of the mind in each
    of the major markets these companies serve
    and where governments have not yet sorted
    out acceptable global ‘rules of the road,’ it is
    incumbent on company leadership to help
    fi gure out what the future is going to look
    like. Without common ground about what’s
    OK and not OK for governments to do with
    regard to each other, companies, and citi-
    zens, we will face an uncertain technology
    future. I am optimistic about the future and
    about the ability to master the cyber issue.
    However, it will take moving through the
    problem set. We are at an infl ection point—
    as we continue to embed devices, software,
    and hardware into everything, we need to
    have a view, a path, a structure that gives us
    confi dence. Therefore, when we sit down in
    an offi ce such as the attorney general’s or a
    board of directors and ponder the better and
    lesser proclivities of mankind, we must be
    confi dent we are driving rules-based deci-
    sions to the happier side of the ledger—one
    that ensures we reap the benefi ts of this
    terrifi c, accelerating, age of technology.
    through what they think about security and
    privacy. Most want both. Some regions have
    differing views. In the U.S., we limit what the
    government can do through Constitutional
    Fourth Amendment restrictions on unrea-
    sonable searches and seizures, but we freely
    give personal information to commercial
    companies in exchange for free content and
    other services we like. In Europe, it’s the
    opposite. The E.U. presumptively limits
    what information relating to individuals the
    private sector can collect and share but often
    has minimal legal procedures regulating
    government activities to collect information
    about its citizens. China has its own view on
    national security and information, as does
    Russia. In any event, companies have an
    important role to play in the future of the
    intersection of security and privacy.
    Most people talk in terms of balancing
    security and privacy. This may be a false
    dichotomy. I think the better approach is to
    drive to security and privacy. Try to get both
    right. Do what you need to secure a system
    or crown jewels or an enterprise, and use
    techniques and technologies that help
    ensure privacy. I think this is the challenge
    for the future and likely an area that will
    spur great innovation. How can we work
    effectively with anonymized data? How can
    we implement machine-to-machine anoma-
    ly detection without identifying the indi-
    vidual or that a device belongs to a particu-
    lar individual? How can we manipulate
    encrypted data at scale? Can we know
    enough from encrypted data streams across
    the enterprise or network to understand and
    stop an exfi ltration or an attack? How can
    we share cyberthreat information that is
    anonymous and actionable? These are the

    157 ■
    Pillsbury Winthrop Shaw Pittman LLP – Brian Finch, Partner
    Managing third-party liability
    using the SAFETY Act
    One of the most pressing questions directors and offi cers
    of publicly listed companies is how to manage third-party
    liability in the post 9/11 era. In particular, directors and
    offi cers continually struggle with the issue of whether
    ‘enough’ security measures have been deployed to protect
    not only corporate assets and employees but also innocent
    Before 9/11, courts typically would not hold makers of
    items such as ammonium nitrate fertilizer liable for the
    misuse of their product by terrorists (fi nding that such
    terrorist acts were ‘unforeseeable’ and that the fertilizer
    manufacturers did not have a duty to protect the unfortu-
    nate victims of the attacks).
    Unfortunately, a series of decisions completely changed
    the legal landscape post 9/11. In one case stemming from
    the 1993 World Trade Center attack, New York state courts
    initially held the Port Authority of New York and New
    Jersey partially liable for the losses suffered by the victims
    of the 9/11 attacks. In that particular case, the Port
    Authority was held to a standard in which if it knew or
    should have been aware of the possibility of a terrorist
    attack, then it was obligated to take all reasonable meas-
    ures necessary to mitigate the possibility of said attacks.
    Even considering that the decision was ultimately
    overturned on a technicality (the Port Authority was
    found to have a unique form of ‘sovereign immunity’
    and therefore could not be held liable under any circum-
    stances), the initial decision set forth a blueprint that
    other courts are sure to follow in future cases involving
    terrorist or cyberattacks.
    Similarly, claims fi led against the manufacturers of
    airplanes used in the 9/11 attacks were also allowed to
    proceed, leading to signifi cant costs for those companies.
    In that instance, a federal court in New York allowed
    claims alleging that the cockpit doors on planes made by
    Boeing were negligently designed—thereby allowing

    ■ 158
    receive liability protections under the
    SAFETY Act.
    In addition, entities that purchase or
    deploy SAFETY Act approved security prod-
    ucts and/or services also will have the ben-
    efi t of immediate dismissal of third-party
    liability claims arising out of, related to, or
    resulting from a declared ‘act of terrorism’
    (a term that encompasses physical or cyber-
    attacks, regardless of whether there is any
    motive or intent that could be deemed ‘polit-
    ical’ in nature).
    The reader should remember that at the
    time of the drafting of this article, no litiga-
    tion specifi cally involving the SAFETY Act
    has occurred, and so there is no established
    legal precedent interpreting the statute itself.
    However, the fundamental principles of the
    SAFETY Act are based on the “government
    contractor defense,” a well-established com-
    mon law affi rmative defense to third-party
    litigation that has been reviewed and upheld
    by the U.S. Supreme Court.
    Accordingly, this article is based on inter-
    pretations of the SAFETY Act, the Final Rule
    implementing the SAFETY Act, and the
    underlying theory of the government con-
    tractor defense.
    ■ Background of the SAFETY Act
    The SAFETY Act provides extensive liability
    protections to entities that are awarded either
    a ‘Designation’ or a ‘Certifi cation’ as a
    Qualifi ed Anti-Terrorism Technology (QATT).
    Under a ‘Designation’ award, successful
    SAFETY Act QATT applications are entitled
    to a variety of liability protections, including
    the following:
    � All terrorism-related liability claims must
    be litigated in federal court.
    � Punitive damages and pre-judgment
    interest awards are barred.
    � Compensatory damages are capped at
    an amount agreed to by the Department
    of Homeland Security (DHS) and the
    � That damage cap will be equal to a set
    amount of insurance the applicant must
    carry, and once that insurance cap is
    terrorists to gain control of the planes—
    were allowed to proceed. The court’s ration-
    ale in that case was that a jury could fi nd
    that Boeing should have foreseen that a ter-
    rorist would want to breach the cockpit and
    hijack the plane, and thus its cockpit doors
    should have been more strongly designed.
    Because those claims were allowed to
    proceed, Boeing on average paid 21⁄2 times in
    settlement fees what the plaintiffs (here the
    families of persons killed in the 9/11 attacks)
    would have received if they had elected to
    participate in the 9/11 Victims Compensation
    In light of the above, it is obvious that
    directors and offi cers of publicly listed com-
    panies must be very concerned about post-
    attack litigation. Even if a court or jury ulti-
    mately fi nds that there is no culpability on
    the part of a director, offi cer, or the company
    itself, the stark reality is that the legal fi ght to
    reach that decision will be expensive and
    So, the key question that directors and
    offi cers of publicly listed companies must
    ask themselves is, ‘How do we manage/
    minimize third-party liability in a post 9/11
    world?’ Insurance is certainly an option, but
    obtaining a comprehensive policy can be
    very expensive, and further coverage is
    uncertain. Again using 9/11 as an example,
    many companies paid immense amounts in
    legal fees to force their insurance carriers to
    honor terrorism-related claims under the
    policies they issued.
    Understanding the limits of insurance,
    the question then becomes what other risk
    mitigation tools exist that could limit by stat-
    ute or eliminate third-party claims? Based on
    a review of existing statutes, regulations,
    and alternative options such as insurance
    coverage, the best opportunity for limiting
    liability is the Support Anti-Terrorism By
    Fostering Effective Technologies Act
    (‘SAFETY Act’). Under the SAFETY Act,
    ‘sellers’ of security products or services
    (a term that also includes companies that
    develop their own physical or cybersecurity
    plans and procedures and then uses them
    only for internal purposes) are eligible to

    159 ■
    loss to citizens or institutions of the United
    The Secretary has broad discretion to declare
    that an event is an “act of terrorism,” and
    once that has been declared, the SAFETY Act
    statutory protections will be available to the
    seller of the QATT and others.
    A cursory review of this defi nition reveals
    that there is no need to divine a motivation
    for the attack and that the language used can
    be interpreted to include physical attacks as
    well as cyberattacks. The only ‘intent’ that
    must be demonstrated under the SAFETY
    Act then is that the attack is intended to
    cause destruction, injury, or other loss to the
    U.S. or its interests. This is important to
    remember because it means that cyberat-
    tacks also trigger the protections of the
    SAFETY Act.
    ■ SAFETY Act protections available
    to customers and other entities
    One of the most signifi cant additional bene-
    fi ts of the SAFETY Act is that the liability
    protections awarded to the seller of the
    QATT fl ow down to customers, suppliers,
    subcontractors, vendors, and others who
    were involved in the development or deploy-
    ment of the QATT. In other words, when a
    company buys or otherwise uses a QATT
    that has been either SAFETY Act ‘Designated’
    or ‘Certifi ed,’ that customer is entitled to
    immediate dismissal of claims associated
    with the use of the approved technology or
    service and arising out of, related to, or
    resulting from a declared act of terrorism.
    The bases for these expanded protections
    are clearly set forth in the SAFETY Act stat-
    ute and in the Final Rule implementing the
    SAFETY Act. Both are detailed below:
    With respect to the protections offered to
    entities other than the Seller of the QATT,
    the SAFETY Act statute states as follows:
    IN GENERAL.—There shall exist a
    Federal cause of action for claims arising
    out of, relating to, or resulting from an act
    of terrorism when qualifi ed anti-terrorism
    reached no further damages may be
    awarded in a given year.
    � A bar on joint and several liability
    � Damages awarded to plaintiffs will be
    offset by any collateral recoveries they
    receive (e.g., victims compensation funds,
    life insurance).
    Should the applicant be awarded a
    ‘Certifi cation’ under the SAFETY Act for their
    QATT, all of the liability protections awarded
    under a ‘Designation’ are available. In addi-
    tion, the seller of a QATT will be entitled to an
    immediate presumption of dismissal of all
    third-party liability claims arising out of, or
    related to, the act of terrorism.
    This presumption of immunity can be
    overcome in two ways: (1) by demonstrat-
    ing that the application was submitted with
    incorrect information and that that informa-
    tion was provided though fraud or willful
    misconduct or (2) by showing that the
    claims asserted by the plaintiff related to a
    product or service are not encompassed by
    the QATT defi nition as written by the
    Department of Homeland Security. Absent
    a showing of element, the attack-related
    claims against the defendant will be imme-
    diately dismissed.
    For the SAFETY Act protections to be trig-
    gered, the Secretary of Homeland Security
    must declare that an “act of terrorism” has
    occurred. The defi nition of an “act of terror-
    ism” is extremely broad, and includes any
    act that:
    (i) is unlawful;
    (ii) causes harm to a person, property, or
    entity, in the United States, or in the case of a
    domestic United States air carrier or a United
    States-fl ag vessel (or a vessel based principally
    in the United States on which United States
    income tax is paid and whose insurance cover-
    age is subject to regulation in the United
    States), in or outside the United States; and
    (iii) uses or attempts to use instrumentalities,
    weapons or other methods designed or intend-
    ed to cause mass destruction, injury or other

    ■ 160
    DHS, as set forth in the preamble to the
    SAFETY Act Final Rule, agrees with this
    interpretation, stating:
    Further, it is clear that the Seller is the only
    appropriate defendant in this exclusive
    Federal cause of action. First and foremost, the
    Act unequivocally states that a “cause of
    action shall be brought only for claims for
    injuries that are proximately caused by sellers
    that provide qualifi ed anti-terrorism technol-
    ogy.” Second, if the Seller of the Qualifi ed
    Anti-Terrorism Technology at issue were not
    the only defendant, would-be plaintiffs could,
    in an effort to circumvent the statute, bring
    claims (arising out of or relating to the perfor-
    mance or non-performance of the Seller’s
    Qualifi ed Anti-Terrorism Technology) against
    arguably less culpable persons or entities,
    including but not limited to contractors, sub-
    contractors, suppliers, vendors, and custom-
    ers of the Seller of the technology.
    Because the claims in the cause of action
    would be predicated on the performance or
    non-performance of the Seller’s Qualifi ed
    Anti-Terrorism Technology, those persons or
    entities, in turn, would fi le a third-party
    action against the Seller. In such situations,
    the claims against non-Sellers thus “may
    result in loss to the Seller” under 863(a)(2).
    The Department believes Congress did not
    intend through the Act to increase rather than
    decrease the amount of litigation arising out
    of or related to the deployment of Qualifi ed
    Anti-Terrorism Technology. Rather, Congress
    balanced the need to provide recovery to plain-
    tiffs against the need to ensure adequate
    deployment of anti-terrorism technologies by
    creating a cause of action that provides a cer-
    tain level of recovery against Sellers, while at
    the same time protecting others in the supply
    Within the Final Rule itself, the Department
    also stated:
    There shall exist only one cause of action for
    loss of property, personal injury, or death for
    performance or non-performance of the
    technologies have been deployed in
    defense against or response or recovery
    from such act and such claims result or
    may result in loss to the Seller. The sub-
    stantive law for decision in any such
    action shall be derived from the law,
    including choice of law principles, of the
    State in which such acts of terrorism
    occurred, unless such law is inconsistent
    with or preempted by Federal law. Such
    Federal cause of action shall be brought only
    for claims for injuries that are proximately
    caused by sellers that provide qualifi ed anti-
    terrorism technology to Federal and non-
    Federal government customers.
    The SAFETY Act statute also reads:
    JURISDICTION.—Such appropriate district
    court of the United States shall have original
    and exclusive jurisdiction over all actions for
    any claim for loss of property, personal injury,
    or death arising out of, relating to, or result-
    ing from an act of terrorism when qualifi ed
    anti-terrorism technologies have been deployed
    in defense against or response or recovery
    from such act and such claims result or may
    result in loss to the Seller.
    The key language, which comes from 6
    U.S.C. Section 442(a)(1), states that the claims
    arising out of, relating to, or resulting from
    an act of terrorism “shall be brought only for
    claims for injuries that are proximately
    caused by sellers that provide qualifi ed anti-
    terrorism technology to Federal and non-
    Federal government customers.”
    Furthermore, in Section 442(a)(2), the
    SAFETY Act states that U.S. district courts
    shall have original and exclusive jurisdiction
    for claims that “result or may result in loss to
    the seller.”
    The language in 6 U.S.C. Section 442(a)(1)
    and (a)(2) reads such that terrorism-related
    claims that have or could have resulted in a
    loss to the seller may only be brought in U.S.
    district courts against the seller. Nothing in
    the statute would give rise to claims against
    other parties who use or otherwise partici-
    pate in the delivery and use of the QATT.

    161 ■
    Further, based on the extensive analysis con-
    ducted above regarding the applicability of
    the SAFETY Act statute and Final Rule, buy-
    ers of security QATTs will be considered
    ‘customers’ for SAFETY Act purposes, and
    therefore entitled to immediate dismissal of
    claims related to an approved security tech-
    nology or service. Thus, the SAFETY Act can
    and should serve as an excellent tool to miti-
    gate or eliminate said liability.
    Accordingly, sellers and customers of
    ‘QATTs’ are entitled to all appropriate pro-
    tections offered by the SAFETY Act, whether
    those offered by Designation, the presump-
    tion of dismissal offered by Certifi cation, or
    the fl ow-down protections offered to cus-
    tomers and others. QATT customers and
    sellers could still face security-related litiga-
    tion should the Homeland Security Secretary
    not declare the attack to be an “act of terror-
    ism” or if the claims do not relate to the
    QATT as defi ned by DHS.
    ■ Conclusion
    Entities that are potentially at risk for third-
    party liability claims after an attack can be
    materially protected through the SAFETY
    Act. Users of SAFETY Act-approved security
    products or services will also receive direct
    and tangible benefi ts.
    The SAFETY Act provides strong liability
    protections that will fl ow down to such cus-
    tomers per the language of the SAFETY Act
    statute and Final Rule. A wide variety of
    attacks, products, and services, including
    cyberattacks and cybersecurity products and
    services, are covered by the language of the
    SAFETY Act, and thus, such products and
    services are also eligible to provide dramati-
    cally limited litigation and for such litigation
    to be limited to ‘sellers,’ not ‘customers.’
    Certainly not every attack will result in
    liability for security vendors or their custom-
    ers, particularly with respect to third-party
    liability. Should such liability occur, howev-
    er, it can be mitigated or eliminated using
    the SAFETY Act.
    Perhaps most importantly for directors
    and offi cers of publicly listed companies, the
    SAFETY Act should always be considered
    Seller’s Qualifi ed Anti-Terrorism Technology
    in relation to an Act of Terrorism. Such
    cause of action may be brought only against
    the Seller of the Qualifi ed Anti-Terrorism
    Technology and may not be brought against
    the buyers, the buyers’ contractors, or down-
    stream users of the Technology, the Seller’s
    suppliers or contractors, or any other person
    or entity.
    Thus, the SAFETY Act statute and the Final
    Rule implementing the law make it clear that
    when there is litigation involving a SAFETY
    Act QATT (whether Designated or Certifi ed)
    alleging that the QATT was the cause, direct-
    ly or indirectly, of any alleged losses, the
    only proper defendant in such litigation is
    the Seller of the QATT. Customers and oth-
    ers are not proper defendants and are enti-
    tled to immediate dismissal, because allow-
    ing litigation to proceed against customers
    would be contrary to the SAFETY Act statute
    and Congressional intent.
    ■ Practical application of SAFETY Act
    protections to limit third-party claims
    Considering the above, companies that sell
    or deploy security QATTs, as well as their
    customers, are entitled to extensive benefi ts.
    Sellers of cybersecurity QATTs are entitled to
    the broad protections from third-party liabil-
    ity claims offered under a ‘Designation’ and
    a ‘Certifi cation.’
    As explicitly set forth in the SAFETY Act
    statute and the SAFETY Act Final Rule, the
    only proper defendant in litigation following
    an act of terrorism allegedly involving a
    SAFETY Act Designated and/or Certifi ed
    QATT is the seller itself. In this case, the
    ‘Seller’ would be the security vendor or
    company that deploys its own internally
    developed security policies, procedures, or
    technologies with the QATT being said
    Certifi ed or Designated security policies,
    procedures, or even technologies.
    The basis for this analysis rests upon the
    fact that sellers of security QATTs will have
    received the QATT Designation or
    Certifi cation, thus conferring upon them
    specific statutory liability protections.

    ■ 162 SecurityRoundtable.org
    Given the relative paucity of case law
    defi ning what constitutes ‘adequate’ or ‘rea-
    sonable’ security, directors and offi cers
    should look to the SAFETY Act as a way to
    help determine whether their company’s
    security plans and programs could be con-
    sidered to have achieved those benchmarks.
    Doing so will not only help improve security
    but also almost assuredly decrease the com-
    pany’s risk exposure.
    when examining risk mitigation strategies
    associated with the company’s internal secu-
    rity programs (physical and/or cyber) as
    well as security goods and services pur-
    chased from outside vendors. The SAFETY
    Act offers powerful liability protections and
    can doubly serve as evidence that the com-
    pany exercised ‘due diligence’ and ‘reason-
    able care’ when designing and implement-
    ing its security programs.

    163 ■
    Littler Mendelson P.C. – Philip L. Gordon, Esq., Co-Chair,
    Privacy and Background Checks Practice Group
    Combating the insider threat:
    Reducing security risks from
    malicious and negligent employees
    “Edward Snowden,” the affair that bears his name dem-
    onstrates the extreme damage that a privileged insider
    can cause, even to an organization with the most sophis-
    ticated security technology and one of the largest cyber-
    security budgets. Although Snowden may have been a
    contractor, survey after survey demonstrates that
    employees, whether through negligence or malice, are
    the most common cause of security incidents. According
    to the Vormetric Insider Threat Report 2015, 89% of
    respondents globally stated that their organization was
    more at risk than ever from the insider threat, and 55%
    identifi ed employees as the #1 internal threat. PwC’s
    Global State of Information Security 2015 found that
    current employees are the most frequently cited cause of
    security incidents, well ahead of contractors, hackers,
    organized crime, and nation-states.
    These studies confi rm that there has been no abatement
    in the insider threat in recent years. Just as PwC’s study
    found in 2015, a 2013 Ponemon Institute study, entitled
    the “Post-Breach Boom,” also reported that negligent and
    malicious insiders were the cause of 61% of security
    breaches experienced by respondents, substantially
    exceeding other causes, such as external attacks and sys-
    tem error or malfunctions.
    Employers can take a wide range of relatively low-cost,
    low-tech steps to reduce the risk of insider threats. These
    steps track the stages of the employment lifecycle, ranging
    from pre-employment screening at the outset of the
    employment relationship to exit interviews when that rela-
    tionship ends. Between those endpoints, employers can
    reduce the insider threat by implementing and managing
    access controls, securing mobile devices (whether employ-
    er-owned or personal) used for work, carefully managing
    remote work, providing effective training, and following a
    myriad other steps discussed in more detail below.

    ■ 164
    check adequately protects their organiza-
    tion. Currently, the vast majority of employ-
    ers do not conduct background checks after
    the job application process has been com-
    pleted. However, several service providers
    now offer “risk alerts,” either directly to
    employers or indirectly through the employ-
    er ’s background check vendor. These risk
    alerts notify the employer and/or the back-
    ground check vendor of post-hire risk fac-
    tors available through public records
    sources, such as pending criminal charges,
    criminal convictions, and bankruptcies.
    Employers may consider using such “con-
    tinuous monitoring” services to help iden-
    tify employees who become security risks
    over time.
    ■ Employee-oriented safeguards for sensitive
    corporate data
    Even employees who have been thoroughly
    screened and have proven their trustworthi-
    ness can expose an organization’s sensitive
    data to loss or theft. Organizations and the
    employees themselves can take the basic
    precautions described below to mitigate
    these risks.
    A. Safeguarding electronic data
    1. Access control lists: Restricting access
    to information, particularly sensitive
    customer, employee, and business
    information, on a need-to-know basis is
    a fundamental principle of information
    security. Employees in the accounts
    payable department, for example,
    should be barred from accessing
    human resources information. In
    addition, access to information by
    employees with a need to know should
    be limited to the minimum necessary
    to perform their job responsibilities.
    Organizations should implement
    a process for establishing the access
    rights of new hires based on their
    job responsibilities, for modifying
    access rights when job responsibilities
    change, and for promptly terminating
    access rights when the employment
    relationship ends.
    ■ Pre-employment screening and post-hire
    risk alerts
    Effective background screening can eliminate
    the insider threat before it ever occurs by
    identifying job applicants who pose a
    threat to the employer’s information assets.
    Employees responsible for evaluating back-
    ground reports should be looking not only
    for prior convictions for identity theft but
    also for other crimes involving dishonesty,
    such as fraud and forgery, which indicate an
    applicant’s propensity to misuse informa-
    tion. Employers that rely on staffi ng compa-
    nies should consider not hiring temporary
    workers for positions involving access to
    sensitive employee, customer, or business
    data, such as positions in the human resourc-
    es or R&D departments or those responsible
    for processing credit card payments. If such
    hiring is imperative, the employer should
    impose on the staffi ng company, by contract,
    background check criteria for temporary
    placements that are at least as stringent as the
    employer’s own background check criteria.
    Employers should beware that pre-
    employment screening can itself expose an
    employer to signifi cant risks. In the past few
    years, the plaintiffs’ class action bar has
    aggressively pursued employers for alleged
    violations of the federal Fair Credit Reporting
    Act (FCRA), which regulates the procure-
    ment of background checks from third-party
    consumer reporting agencies. As of mid-
    2015, nearly 20 jurisdictions—states, coun-
    ties, and municipalities—have enacted “ban-
    the-box” legislation to restrict private
    employers’ inquiries into criminal history. At
    the same time, the U.S. Equal Employment
    Opportunity Commission (EEOC) has fi led
    several lawsuits against large employers,
    alleging that their pre-employment screen-
    ing practices have a disparate impact on
    African American and Hispanic job appli-
    cants. Consequently, organizations should
    carefully review their pre-employment
    screening practices for compliance with the
    many federal, state, and local laws aimed at
    helping ex-offenders secure employment.
    Employers also should consider whether
    a one-time, pre-employment background

    165 ■
    password protection, automatic log-
    out after a short period of inactivity,
    automatic log-out after a small number
    of unsuccessful log-in attempts, and
    remote wipe capability. In addition,
    employees should be routinely
    reminded of the need to physically
    safeguard their mobile device, for
    example, by not sharing the device
    with others and by securing the device
    (for example, in a hotel safe) when the
    device is left unattended. In addition,
    employees should be instructed to
    immediately report the loss or theft
    of the device to a person or group
    designated to respond to such reports.
    5. Remote work security: Corporate spies
    can tap into unsecured WiFi connections
    to steal sensitive data. To reduce this
    risk, employees should be required to
    use a secure/encrypted connection,
    such as a virtual private network
    (VPN), to access the corporate network
    when working remotely. In addition,
    employees should generally be required
    to use that secure remote connection to
    conduct business involving sensitive
    data rather than storing the sensitive
    data on a portable storage medium,
    such as a thumb drive or a laptop’s
    hard drive. Where local storage is a
    business imperative (e.g., when work
    must get done during a long fl ight),
    employees should be required to use an
    encrypted portable storage medium to
    store sensitive data.
    6. No storage in personal online
    accounts: Once an organization’s
    sensitive data move to an employee’s
    personal email or cloud storage
    account, the organization effectively
    loses control of the information.
    Absent the employee’s prior written
    authorization, the email or cloud
    service provider generally cannot
    lawfully disclose the organization’s
    data to the organization. At the same
    time, employees often will hesitate
    to sign such an authorization out of
    concern that the employer will gain
    2. Protecting log-in credentials:
    Employees should be regularly
    reminded of the importance of
    protecting their log-in credentials.
    They should be instructed not to share
    their log-in credentials with anyone.
    Hackers may pose as IT professionals
    on the phone or send phishing emails
    purporting to originate with the
    employer’s IT Department, to trick
    (“social engineer”) employees into
    revealing log-in credentials. Employees
    also should be instructed not to write
    down their log-in credentials and
    to immediately change their log-
    in credentials when they suspect the
    credentials have been compromised.
    Finally, each employee should be
    required to acknowledge that only he
    or she is the authorized person to access
    and view the organization’s information
    through his or her log-in credentials and
    is personally responsible for all activity
    using those log-in credentials.
    3. Screen security: Employees can reveal
    sensitive data to “shoulder surfers”
    in airplanes, at coffee shops, and
    even at work by failing to adequately
    protect their computer monitor or
    screen. Employees should be reminded
    to position their monitor or screen
    to reduce the risk of viewing by
    unauthorized individuals. In locations,
    such as airplanes, where that may
    not be possible, employees should
    use a privacy screen to prevent
    unauthorized viewing. Regardless of
    location, employees should activate a
    password-protected screen saver when
    they leave their screen unattended.
    4. Mobile device security: One of the
    most common causes of security
    breaches is the exposure of sensitive
    data through the loss or theft of
    employees’ mobile devices. To reduce
    this risk, organizations should push
    security controls to all mobile devices—
    whether employer-issued or personally
    owned—that are used for work. These
    controls should include encryption,

    ■ 166
    secure remote connection. When there
    is a business need, employees should be
    required to keep the paper documents
    with them at all times or to secure the
    documents when unattended, just as
    employees should do with a mobile
    4. Require secure disposal of paper
    documents: Pharmacies and other
    health care providers around the
    country have been the subject of
    scathing publicity and government
    investigations after journalists-
    cum-dumpster-divers discovered
    unshredded patient records discarded
    in bulk behind the facility. Whether
    working from the offi ce or from
    home, employees should be required
    to shred paper documents containing
    sensitive data or to discard them in
    secure disposal bins.
    5. Private conversations are meant for
    private places: In today’s world of
    mobile telephony, employees often
    can end up discussing sensitive
    information while walking down the
    street, riding in public transportation,
    or sitting in a crowded restaurant. Even
    when working at the corporate offi ce
    or the home offi ce, employees must
    be aware that they are not discussing
    sensitive data over the phone where
    unauthorized individuals can
    overhear them.
    ■ Employee monitoring
    Monitoring technology has become increas-
    ingly sophisticated and can now help employ-
    ers root out the insider threat. For example,
    recently developed email and Internet moni-
    toring software uses “Big Data” techniques to
    identify patterns of conduct for the workforce
    as a whole, for particular groups, or for par-
    ticular individuals to establish a norm for
    expected online conduct. When an employee
    deviates from the norm—for example, by
    downloading an unusually large number of
    fi les to an external storage device or by send-
    ing an unusual number of emails to a per-
    sonal e-mail account—the software alerts the
    access to private information stored
    in the account, and employees almost
    always will fl atly refuse to sign if
    they are disgruntled or after they have
    left the organization. Consequently,
    employers should unambiguously
    communicate to their workforce that
    storage of the organization’s sensitive
    data in a personal online account is
    B. Safeguarding sensitive data in paper and
    oral form
    1. Clean desk policy/secure storage:
    Whether employees are working at the
    employer’s offi ce or their home offi ce,
    paper documents containing sensitive
    data can easily be viewed or stolen
    by those not authorized to access the
    information, such as maintenance
    personnel at the offi ce or those making
    repairs at the home. Employees
    should be reminded to secure paper
    documents containing sensitive data
    in locked offi ces, desk drawers, fi ling
    cabinets, or storage areas and to
    remove papers containing sensitive
    data from their physical desktop when
    it is unattended.
    2. Beware of printers, scanners, and
    fax machines: Office equipment
    located in unrestricted areas poses a
    risk to sensitive data in paper form.
    Employees should be instructed to
    promptly remove print jobs, scans,
    and faxes from these machines so that
    sensitive data cannot be viewed by
    unauthorized individuals.
    3. Avoid off-site use of paper documents:
    Massachusetts General Hospital agreed
    to pay $1 million to settle alleged
    HIPAA violations after one of its
    employees left the medical records of
    192 HIV patients on the Boston subway.
    Organizations can avoid incidents like
    this by prohibiting employees from
    taking paper documents with sensitive
    data off-site unless there is a strong
    and legitimate business need to do so.
    Typically, employees will be able to
    access the same information through a

    167 ■
    Millennials admitted to compromising their
    organization’s IT security as compared to
    5% of Baby Boomers. Given this “culture of
    noncompliance,” employers should consid-
    er three methods for reminding employees
    of their responsibilities as stewards of the
    employer ’s sensitive data.
    First, employers should consider requir-
    ing that all new hires whose responsibilities
    will involve access to sensitive data execute
    a confi dentiality agreement. In addition to
    identifying those categories of information
    that employees must keep confi dential, the
    agreement should summarize some of the
    key steps employees are required to take to
    preserve confi dentiality, require return of the
    employer’s sensitive data upon termination
    of the employment relationship, and confer
    on the employer enforcement rights in the
    event the employee breaches the agreement.
    Employers should note that several federal
    regulators, including the Securities &
    Exchange Commission (SEC), the National
    Labor Relations Board (NLRB), and the
    EEOC, have been fi nding unlawful overly
    broad confi dentiality agreements that effec-
    tively restrict employees’ rights to engage in
    legally protected conduct, such as whistle-
    blowing or discussing the terms and condi-
    tions of employment with co-workers.
    Consequently, any confi dentiality agreement
    should be scrutinized by legal counsel before
    it is distributed to new hires for signature.
    Second, educating employees on informa-
    tion security is critical. Training should
    address a range of topics, including (a) the
    employer’s legal obligations to safeguard
    sensitive data, (b) the types of information
    falling within the scope of this legal duty,
    (c) the consequences for the employer’s bot-
    tom line of failing to fulfi ll those legal obliga-
    tions, (d) the steps employees can take to
    help the employer fulfi ll its legal obligations,
    and critically (e) the situations that consti-
    tute a security incident and to whom the
    incident should be reported. Training should
    be recurring and supplemented with peri-
    odic security awareness reminders. These
    reminders could take the form of email,
    posts on an internal blog, or text messages
    employer of the deviation from the norm, so
    the employer can investigate further.
    Employers concerned about the insider threat
    should consider investing in monitoring soft-
    ware that can perform this type of “user-
    based analytics.”
    Employers also should consider installing
    data loss prevention (DLP) software on their
    networks. This software fl ags communica-
    tions, such as outbound emails containing
    sensitive data, for further action. For exam-
    ple, DLP software may identify strings of
    digits resembling Social Security numbers in
    an outbound email, quarantine the email
    before it leaves the organization’s network,
    and alert the employer’s IT department of a
    potential data theft.
    Although network surveillance software
    can substantially enhance other information
    security measures, implementation can pose
    risks for the organization. Although case
    law applying the Federal Wiretap Act to
    real-time email interception is somewhat
    sparse, the cases suggest that employers
    who capture email content in real time with-
    out robust, prior notice to employees may
    be exposed to civil lawsuits and even crimi-
    nal prosecution. Multinational employers
    face broader, potential exposure for violat-
    ing local data protection laws, particularly
    in the European Union. Consequently,
    employers should conduct a thorough legal
    review before implementing new monitor-
    ing technology.
    ■ Confi dentiality agreements, employee
    training, and exit interviews
    Although many of the safeguards described
    above may appear to be common sense,
    they likely will appear to be inconveniences
    to many employees, especially to the Gen-Y
    members and Millennials in the workforce
    for whom the broad disclosure of sensitive
    information through social media has
    become natural. Cisco’s 2012 Annual
    Security Report bears this out, reporting
    that 71% of Gen-Y respondents “do not obey
    policies” set by corporate IT. Similarly,
    Absolute Software’s 2015 U.S. Mobile
    Device Security Report found that 25% of

    ■ 168 SecurityRoundtable.org
    the one hand, and the groups responsible for
    information security—the IT Department, the
    Chief Information Security Offi cer, and/or
    the Chief Privacy Offi cer—on the other. The
    former group views information security as
    the sole responsibility of the latter, and the
    latter group views employees (and employee
    data) as the sole responsibility of the former.
    However, HR professionals and in-
    house employment counsel can play a criti-
    cal role in enhancing an organization’s
    information security. They typically are
    responsible for evaluating whether to reject
    applicants based on information reported
    by the employer ’s pre-employment screen-
    ing vendor. They routinely train new hires
    and current employees on a wide range of
    topics and could easily partner with infor-
    mation security professionals to conduct
    information security training. They often
    negotiate contracts with service providers
    who receive substantial quantities of
    employees’ sensitive data. They regularly
    receive and investigate complaints of sus-
    pected employee misconduct, which may
    include reports generated by DLP software
    or other online surveillance software or
    about employees’ otherwise mishandling
    sensitive data. They also typically are
    involved in disciplinary decisions, includ-
    ing those based on employees’ mishan-
    dling of sensitive data.
    In sum, by making human resources pro-
    fessionals and in-house employment counsel
    valued members of the organization’s infor-
    mation security team, organizations can sig-
    nifi cantly enhance the effectiveness of their
    overall information security program.
    and can include critical alerts, such as notifi –
    cation of a recent phishing email sent to
    members of the employer’s workforce or
    warnings against clicking on links or open-
    ing attachments that could result in the
    downloading of malicious code.
    Third, employers should consider modi-
    fying their exit interview process to specifi –
    cally address information security. At the
    exit interview, the employer can accomplish
    the following:
    � provide the employee with a copy of his
    or her executed confi dentiality agreement
    and remind the employee of his or her
    ongoing obligation not to disclose the
    employer’s sensitive data to unauthorized
    third parties;
    � obtain the return of all employer-owned
    computers, mobile devices, and portable
    storage media on which sensitive data
    may be stored;
    � arrange for the remote wiping, or other
    removal, of the employer’s sensitive data
    from any of the employee’s personal
    mobile devices allowed to access corporate
    information systems;
    � confi rm that the employee has not stored
    any of the employer’s sensitive data in
    personal email accounts, personal cloud
    storage accounts, personal external
    storage media, or anywhere else.
    ■ HR and in-house employment counsel need
    a seat at the “information security table”
    In many, if not most, organizations, there is a
    chasm between the Human Resources depart-
    ment and in-house employment counsel, on

    Electronic version of this guide and additional content available at: SecurityRoundtable.org
    Comprehensive approach
    to cybersecurity

    171 ■
    Booz Allen Hamilton – Bill Stewart, Executive Vice
    President; Sedar LaBarre, Vice President; Matt Doan,
    Senior Associate; and Denis Cosgrove, Senior Associate
    Developing a cybersecurity
    strategy: Thrive in an evolving
    threat environment
    The Internet and ‘always on’ connectivity is transforming
    how we live, work, and do business. Game-changing
    technology, powered by our increasingly connected soci-
    ety, offers more effi cient workers, new revenue streams,
    and stronger customer relationships. Technology is not
    optional; it is a core business enabler. That means it must
    be protected.
    Cybersecurity was once widely considered just another
    item in a long list of back-offi ce functions. Vulnerability
    patching? Device confi guration? These were IT problems
    for the IT team to worry about. However, that has
    changed. A series of high-profi le cybersecurity attacks—
    from Stuxnet to Target—demonstrate that cybersecurity
    represents a business risk of the highest order. The C-suite
    and board are taking notice.
    However, as cybersecurity makes its way onto the
    executive agenda, it is simultaneously time to rethink
    our strategies. The ‘Internet of Things’ is more than a
    fad. Suddenly, and increasingly, everything is connected.
    Business leaders get it: to fend off emerging players
    and ensure market competitiveness, companies are re-
    architecting their business models around this concept.
    It will drive success. It also requires new cybersecurity
    strategies that take a broader view of risk. Developing
    strategies that recognize risk beyond back-end IT sys-
    tems is critical, to include products, customer interfaces,
    and third-party vendors. Above all, the new challenges
    in cybersecurity demand an organizational-wide
    approach to protecting, and ultimately enabling, the
    business. It is time to cast the net wider, and more effec-
    tively, than ever before.

    ■ 172
    3. Product/service development: the research,
    design, testing, and manufacturing
    environments for your products and
    4. Customer experience: the operational
    realms where customers use and interact
    with your products or services
    5. External infl uencers: all external entities
    that affect how you guide your business
    to include regulators, law enforcement,
    media, competitors, and customers.
    A cybersecurity strategy at this scale requires
    enterprise-wide collaboration. It will take
    the whole organization to manage cyber
    risk, so it is imperative to cast a wide net
    and include representatives from across
    business units in strategy formulation dis-
    cussions. It requires a multidisciplinary
    team effort to develop a security strategy
    that refl ects the scale and complexity of the
    business challenge.
    ■ Elements of cyber strategy at scale
    Building a cybersecurity strategy can seem
    overwhelming, but it doesn’t have to be.
    Start with a vision, understand the risk,
    identify controls, and build organizational
    capacity. Every element builds on each other.
    1. Set a vision: It all starts with a creative
    vision. It’s critical to paint a high-level
    landscape of the future that portrays
    how cybersecurity is intertwined with
    the most critical parts of your business.
    Think about the how value is created
    within your company. Is it a cutting-edge
    product? Is it by delivering world-class
    customer service? Craft a short story on
    how cyber protects and enables that.
    2. Sharpen your priorities: You have
    limited resources, just like every other
    company. You can’t protect everything, so
    you better be certain you’re focusing on
    the most critical business assets. The fi rst
    step is to fi gure out what your company
    determines to be its ‘crown jewels.’ Once
    you’ve defi ned what truly matters, it’s
    time you evaluate how exposed—or
    at-risk—these assets are. That will give
    ■ The value of getting cybersecurity right
    An effective cybersecurity strategy must
    start with placing it in the context of the
    business—what your company uniquely
    provides as products or services really deter-
    mines how to approach the challenge. For
    old-school IT security hands, this is a differ-
    ent way of thinking. It means getting out of
    the IT back offi ce and learning the nuances
    of what makes the business go. Take the
    view of the CEO and board. It isn’t just that
    it is the right thing to do or because compli-
    ance matters. There are more meaningful
    answers to uncover.
    The right cybersecurity strategy is guided
    by two related considerations: (1) ‘How does
    cybersecurity enable the business?’ and
    (2) ‘How does cyber risk affect the business?’
    From this perspective, cybersecurity breaks
    out of its technical box and IT jargon. It
    focuses on competitive advantage, and it
    positions cybersecurity as an enabler and
    guarantor of the core business, whatever
    business you’re in. If done right, cybersecu-
    rity helps drive a consistent, high-quality
    customer experience.
    ■ It takes an enterprise
    A cybersecurity strategy grounded in your
    unique business ecosystem will quickly
    reveal what must be protected. Enterprise IT
    still matters; it moves, analyzes, and stores
    so much of your business-critical data.
    However, a cybersecurity strategy must now
    go further. Your industry should shape the
    fi ne-tuning of the scope here, but we can boil
    the components of your ecosystem ‘map’
    down into several key features:
    1. Enterprise IT: the back-end technology
    infrastructure that facilitates company-
    wide communications; processes, stores
    corporate, and transfers data; and enables
    workforce mobility
    2. Supply chain: the fl ow of materials
    and components (hardware and
    software) through inbound channels
    to the enterprise, where they are
    then operationalized or used in the
    development of products and services

    173 ■
    undesirable will most certainly happen.
    Incident response is more than just having
    the right technology capabilities in place,
    such as forensics and malware analysis. In
    fact, real success in cyber incident response
    usually comes down to the people aspect.
    How plugged in are you with your
    company’s legal, privacy, communications,
    and customer sales units? They are all
    critical to success; and with this expanded
    scope of players, you can imagine how a
    cyber matter can quickly rise to become a
    top-line business matter.
    7. Transform the culture: The best
    organizations out there today do this
    well. Because people are the core of your
    business, it comes down to them ‘buying
    in’ to cybersecurity as something that they
    care about. From your dedicated cyber
    workforce, to business unit leaders, to
    those that manage your company’s supply
    chain, you’ll need all hands on deck, each
    doing their part in advocating for and
    implementing cybersecurity measures. A
    security organization can make this easier
    by fi nding ways to make cyber relevant
    for each part of the business by sharing
    innovations that excite and enable the
    ■ Bringing the strategy to life
    Perhaps the best measure of an effective
    cybersecurity strategy is its ability to be
    implemented and make a visible change in
    how the business is operated. With a strate-
    gy in hand, the next move is to build momen-
    tum with ‘quick wins’ while investing in
    long-term capability development.
    The fi rst step is to use your strategy’s risk
    framework to assess where you must apply
    new or enhanced controls. Look broadly. The
    biggest cybersecurity challenges may not be
    where your organization usually expects to
    see them. There are multiple ways to assess
    how well the organization is performing,
    including workshops, external assessments,
    tabletop exercises, or war games.
    To appropriately assess the organization,
    you need to know what ‘good’ looks like.
    you a basis for right-sizing your security
    program around these assets.
    3. Build the right team: Once you defi ne
    what matters and how much security
    makes sense, think about the people. What
    does your direct and extended workforce
    have to look like to be uniquely successfully
    at your company? These days, you can’t
    get by with your security program being
    fi lled with technologist majority. Time to
    weave in an accompanying set of skill
    sets that will help you propel you to
    success, to include organizational change
    management, crisis management, third-
    party risk management, and strategic
    4. Enhance your controls: This is largely
    about scope. With your company’s
    quickly expanding ‘map,’ you’ll need to
    adopt new methods for treating risk.
    For example, if you deliver a ‘connected’
    product to consumers, you’ll have to
    ensure strong embedded device security,
    as well as protections over the airwaves.
    Without this, your brand could be at
    stake. Fortunately there’s a great deal
    of momentum in the world today, with
    new methodologies, technologies, and
    skill sets continuously being developed to
    meet the challenge of today’s expanding
    cyberattack surface.
    5. Monitor the threat: Unfortunately,
    cybersecurity isn’t only about reducing
    risk behind your fi rewalls. It must also
    include maintaining awareness of the
    threat landscape—external and internal.
    Because the threat is always changing
    and always determined, you have to take
    on that same adaptive mindset. Whether
    that’s employing strong monitoring and
    detection capabilities, consuming threat
    intelligence feeds, or participating in
    an industry-level information sharing
    forum, there many avenues that you
    should strongly consider using.
    6. Plan for contingencies: No one can ever
    be 100% secure, so it’s vital to have a
    strong incident response capability in
    place to manage the ensuing events when
    something happens, because something

    ■ 174
    This is different for each organization and
    industry, but relying on industry bench-
    marks and existing standards/frameworks
    (e.g., NIST Cyber Framework) is a good
    place to get a quick read on your maturity.
    However, don’t adopt these standards
    blindly; fi gure out what’s applicable to
    your needs and what’s relevant for your
    Once you’ve assessed your priorities and
    set a maturity target, the next move is to
    build a roadmap that pairs ‘quick wins’ with
    more strategic and enduring capabilities.
    Right away, you’ll want to ensure that you
    are doing the basic blocking and tackling of
    cybersecurity. Many call this instilling prop-
    er ‘cyber hygiene,’ or putting a foundational
    layer of protections and capabilities in place.
    Once you’ve gained a solid foothold, time to
    take the next step, such as establishing pre-
    dictive intelligence mechanisms that help
    you anticipate the next threat, instead of
    reacting to it when it hits.
    Perhaps the best way—and the biggest
    challenge—to bringing your strategy to life
    is to remember it isn’t policy or technology
    that matters most, but people. Once you’ve
    embraced this idea and put the person at the
    center of all of your decisions, you can really
    start to envision what it’ll take for cybersecu-
    rity ‘change’ to happen in your organization.
    ■ What getting it right looks like
    It is easier to write about the concepts of a
    good cyber strategy than it is to deliver one
    for your organization. However, getting
    cybersecurity right for the organization has
    benefi ts far beyond IT. A strong cyber strategy
    drives security capability development and
    ultimately has the power to transform the
    business into a more successful one. An effec-
    tive cyber strategy looks different depending
    on the industry and individual business, but
    they all share some key features.
    It’s driven from the top. First, a strong cyber
    strategy won’t be locked away in a fi le cabinet,
    buried in a hard drive, or lost in the cloud.
    Instead, it will be part of your organization’s
    core message, and it will feel alive. That tone
    will be set from the top, with senior executives
    explaining how cyber will drive the future suc-
    cess of the business.
    It’s at the beginning of every new story.
    Whether you’re designing a new product or
    launching into a fresh multinational joint
    venture, cyber is a conversation that will
    always take place. Requirements are built in
    from the beginning and brought to life as the
    venture evolves. Remember, it’s always easier
    and cheaper to implement cyber earlier rather
    than later in the lifecycle.
    Cyber is communicated in simple busi-
    ness language. Don’t be paralyzed by those
    who only want to ‘speak geek.’ Simple, easy-
    to-understand logic should prevail when com-
    municating how cybersecurity is enabling
    your business.
    You’ve established a predictive edge. If
    you’ve evolved your strategy in a disciplined
    manner, some really amazing things start to
    come to life. One powerful aspect is that
    you’re using multiple sources of intelligence
    to understand the world around you, and you
    are able to anticipate the adversary’s next
    move. Sometimes this can feel like playing a
    fun video game, but it could really mean sav-
    ing the lifeblood of your business.
    The puzzle pieces come together. With all
    that you’ve invested in cybersecurity, the real
    payoff comes when you see the component ele-
    ments work in harmony as a system. A unifi ed
    construct that links constituent technologies,
    processes, and people together will prove
    highly effective in monitoring and responding
    to events and engaging the broader business
    ecosystem to get things done.
    You play a role in the community.
    Cybersecurity is not something you should
    attempt alone as an organization. The com-
    plexity of vulnerability and the highly
    resourced threats today are simply over-
    whelming for any one entity. Cybersecurity

    SecurityRoundtable.org 175 ■
    the ‘map’ of your business, and you now
    understand all the points where cybersecuri-
    ty must play a part. Success at this point
    means that you’ve carefully and deliberately
    initiated dialogue and worked with different
    elements of the business to embed security in
    places beyond Enterprise IT and extended it
    into broader touchpoints across the external
    Your enterprise embraces it. From senior
    leadership to customer-facing sales teams,
    cybersecurity is integrated as part of your
    cultural DNA. You hear about it all the time,
    and you see how it’s factored into all major
    business decisions. Your organization has
    evolved to the point where your organization
    is now living the principles of good cybersecu-
    rity without even thinking about it.
    requires the power of community, new ideas,
    and security capabilities coming to life. When
    successful, your organization is an active part
    of key dialogues with industry and govern-
    ment. Threat intelligence and best practices
    are shared two ways, but more importantly,
    you integrate into the fabric of a very impor-
    tant and very valuable community.
    ‘Change agents’ are swarming. You’ll need
    these thought leaders to move across all ele-
    ments of the business to shift mindsets and
    anchor new behaviors. These advocates help
    spread the cybersecurity vision broadly and
    provide ‘on the ground’ feedback to make your
    security strategy stronger.
    Security is now embedded across your
    ecosystem. You’ve taken a long, hard look at

    177 ■
    Booz Allen Hamilton – Bill Stewart, Executive Vice
    President; Jason Escaravage, Vice President; Ernie
    Anderson, Principal; and Christian Paredes, Associate
    Designing a Cyber Fusion
    Center: A unifi ed approach
    with diverse capabilities
    Since the early 2000s, organizations have focused cyberse-
    curity efforts around a preventative, “defense-in-depth”
    approach. The multiple layers of security are intended to
    thwart attackers; this trend has become known as the
    “moat-and-castle” defense: higher walls, a deeper moat,
    and other fortifi cations to deter or prevent the enemy
    from breaching the castle grounds.
    Within the past several years, high-profi le breaches
    across the fi nancial, government, retail, health-care,
    defense, and technology sectors have spotlighted the need
    for a better incident response (IR) capability to detect,
    contain, and remediate threats. These breaches are evi-
    dence that prevention alone is no longer a suffi cient
    approach. However, many organizations lack a mature IR
    capability and end up spending millions of dollars to out-
    source IR services. Furthermore, once the incident is
    remediated, organizations are still left wondering how to
    effectively secure themselves for the highest return on
    investment (ROI).
    Prevention remains a critical component of an effective
    security program. And organizations are increasingly
    investing in native detection and response capabilities, or
    a Security Operations Center (SOC). But the people, pro-
    cesses, and technologies that are the backbone of SOC
    must be integrated within one Cyber Fusion Center (CFC)
    that also combines functions such as Cyber Threat
    Intelligence (CTI), Red Teaming, and Attack Surface
    Reduction (ASR).
    The Cyber Fusion Center. The CFC is a comprehensive,
    integrated approach to security. The CFC mission is to
    protect the business—its assets, people, clients, and
    reputation—so that it can thrive and operate without
    costly disruptions.

    ■ 178
    centralize threat knowledge and analysis,
    unify the organization’s security strategy,
    and ultimately maximize the value of invest-
    ments in cybersecurity.
    Although the security functions that
    make up the CFC are not new, the CFC
    approach represents a complex interaction
    between the security teams with multiple
    “touch points,” parallel workfl ows, and con-
    stant feedback mechanisms. With the right
    design and implementation considerations
    organizations can:
    � increase operational effectiveness by
    orchestrating the security functions and
    information fl ow from threat intelligence,
    through security and IT operations
    � improve security readiness by enabling
    stronger detection mechanisms and
    awareness of threats
    � accelerate security maturation by
    reducing the costs associated with
    coordinating complex security functions
    across multiple teams.
    The CFC is distinguished not by its individ-
    ual parts but by the integration and interde-
    pendencies across its functions. More than
    just a security approach, the CFC is a secu-
    rity mind-set that organizations can imple-
    ment to better secure themselves, protect
    their customers, and reduce costly business
    ■ Building a robust SOC to detect and respond
    to threats
    Organizations are quickly recognizing the
    need to detect and respond to a variety of
    threats; simply blocking threats isn’t
    enough. The Security Operations Center
    (SOC) is the organization’s fi rst line of
    defense against all forms of threats and is
    the heart of the CFC. The SOC will handle
    any suspected malicious activity and work
    closely with the other teams in the CFC. A
    well-designed and maintained SOC will
    focus on gaining effi ciencies though contin-
    uous analyst training and mentoring, and
    constant evaluation of the organization’s
    security technologies.
    The CFC approach does not guarantee
    that there will be no security incidents; this is
    an impossible feat. Rather, it ensures that all
    security efforts are coordinated effi ciently by
    leveraging the benefi ts of proximity (either
    physical or logical) and easy communication
    between security teams.
    The CFC is designed to integrate key
    security functions into a single unit without
    stovepipes or prohibitive bureaucracy:
    � Security Operations Center (SOC): the
    heart of the CFC and the fi rst line of
    an organization’s defense responsible for
    detecting, responding to, containing, and
    remediating threats, as well as proactively
    identifying malicious activity. The SOC is
    also home to Threat Defense Operations
    (TDO), the dedicated “hunting” arm
    of security and intelligence operations
    responsible for actioning intelligence,
    conducting in-depth malware analysis,
    and continually building and improving
    prevention and detection methods.
    � Cyber Threat Intelligence (CTI): the
    “forward observers” responsible for
    identifying threats to the organization
    and disseminating timely, relevant, and
    actionable reporting to the SOC, C-Suite,
    and other stakeholders.
    � Red Team: the “attackers” who simulate
    the tactics, techniques, and procedures
    (TTP) of threats relevant to your
    organization. The Red Team will
    continually “stress test” your SOC, driving
    improvements in detection, response, and
    SOC analyst threat understanding.
    � Attack Surface Reduction (ASR): the
    proactive defense group responsible
    for identifying and mitigating
    vulnerabilities, unnecessary assets, and
    nonessential services. More than just
    patch management, optimized ASR
    teams focus on continually improving an
    organization’s hardening and deployment
    procedures to eliminate vulnerabilities
    before systems go live.
    By integrating these functions, the CFC aims
    to break down communication barriers,

    179 ■
    malware analysis that yields valuable techni-
    cal intelligence (TECHINT) that can be used in
    detection logic and further enriched by CTI.
    Managing all the security alerts (aka “alert
    fatigue”). This process—building detection
    solutions and then identifying and mitigat-
    ing threats—is where many organizations
    struggle. Oftentimes, implementation of effi –
    cient and effective SOC processes are stifl ed
    by an overwhelming number of consoles,
    alerts, threat feeds, and tools that prohibit
    seamless workfl ows for analysts. While
    security managers should continually iden-
    tify potential feeds and technologies to
    invest in, their impact on the SOC analyst
    should always be a primary consideration:
    � How many new alerts will this technology
    or new data feed produce?
    � Who will tune the technology to limit the
    number of false positives it produces?
    � Is the technology fi lling a gap in detection
    capabilities or adding on to existing
    � How does the introduction of this new
    technology affect the SOC workfl ow?
    The main point to remember is that more
    technology, tools, and threat feeds do not
    necessarily enable your SOC to operate more
    effi ciently. Designs that emphasize smooth
    A tiered SOC structure. The SOC can be
    designed around a simple detect, identify,
    and mitigate model. Analysts at various tiers
    investigate malicious activity (aka alerts or
    events) with these three stages in mind: Tier
    1 analysts are charged with classifying the
    severity of the event and correlating the
    event with any historical activity. If neces-
    sary, Tier 1 analysts will escalate incidents to
    Tier 2 and 3 analysts, who will conduct in-
    depth investigations and perform root-cause
    analysis to determine what happened.
    Threat Defense Operations (TDO).
    Additionally, specialized analysts within the
    SOC—Threat Defense Operations (TDO)
    analysts—are responsible for creating detec-
    tion logic in the form of signatures, rules,
    and custom queries based on CTI-provided
    threat intelligence. TDO engineers deploy
    the detection logic to a range of devices,
    appliances, tools, and sensors that make up
    an organization’s security stack. The rules,
    signatures, and queries create a threat-based
    preventative sensor network that generates
    network and host-based alerts that Tier 1–3
    analysts in the SOC respond to.
    TDO analysts will then fi ne-tune their
    detection logic based on SOC feedback, cre-
    ating an effi cient CFC that won’t waste time
    investigating false alarms. The TDO team is
    also responsible for providing in-depth
    Case Management Approach
    Manage Standardize Measure
    • Case Mgt. Dashboard
    • Monitor, Detect, and
    Contain Metrics
    • Real-Time Improvements
    • Formal Shift Change Process
    • Process and Procedures
    • Business Process Reengineering
    Enable Detection
    Mitigate Threats
    Identify Threats
    SOC 24/7 Organizational Framework
    First-level responder responsible for detecting and assessing cybersecurity
    threats and incidents across the environment
    “Operationlize” threat intelligence to enable automated detection and
    manual analysis within and across prevention and detection technology
    Conducts in-depth analyses of security incidents with specific ability to
    identify Indicators of Compromise, perform root-cause analysis, and execute
    containment strategies
    • Shift Leader Oversight
    • Case Mgt. Tracking Tool
    • 24/7 Structure

    ■ 180
    Instead of looking to new technology fi rst,
    successful organizations will constantly
    evaluate their security posture and frequent-
    ly train their analysts on how to react to new
    threats. Organizations must carefully con-
    sider how new technology and tools will
    impact the analysts’ workfl ow and their abil-
    ity to detect and respond to threats while
    focusing on processes and procedures.
    ■ Using Cyber Threat Intelligence to anticipate
    Cyber Threat Intelligence (CTI) has become
    the security buzzword of 2015. Many prod-
    ucts and services claim to provide threat
    intelligence and promise to prevent a major
    incident. As this term has saturated the mar-
    ket and security circles, the true meaning
    and value of threat intelligence has become
    clouded. As a result, the usefulness of threat
    intelligence is, in some cases, dismissed.
    However, true threat intelligence is incred-
    ibly powerful—it can serve as a force-multi-
    plier for your CFC, helping to improve aware-
    ness of threats and offering the means by
    which these threats could be prevented or
    So what is threat intelligence? First, and
    most important, only humans can produce
    threat intelligence through focused research,
    a synthesis of multiple sources (aka “all-
    source analysis”), and clear, concise commu-
    nication that explains the relevance of threats
    to your organization. Generally, threat intelli-
    gence feeds will not provide much intelli-
    gence value unless they are thoroughly vetted
    by human analysts fi rst; feeds are more likely
    to generate false alarms than to indicate mali-
    cious activity. Additionally, good threat intel-
    ligence will be implemented in a way that
    demonstrates the following characteristics:
    Cyber Threat Intelligence is timely. Cyber
    intelligence addresses an impending threat
    to the business environment. Receiving that
    intelligence before the threat is realized is
    crucial to the organization. Dissemination of
    strategic and tactical intelligence, including
    indicators of compromise (IOCs), can take
    the form of indications and warning (warn-
    ing of an imminent threat), daily or weekly
    workfl ows and “painless” methods of data
    collection (e.g., analysts do not need to con-
    tact other teams to access certain data) are
    more likely to succeed than those that prior-
    itize technology. Organizations should focus
    on technology that enables SOC investiga-
    tors to spend less time collecting data and
    more time investigating the root cause of the
    activity they’ve been alerted to.
    Implementing 24/7 operations and managing
    investigations. Design and implementation
    should focus on standardizing daily opera-
    tions, case management, and methods of
    “measuring success.” Modern-day threats
    necessitate that SOCs operate 24/7, 365 days
    a year, requiring well-thought-out shift
    schedules and defi ned roles. Leaders with
    managerial and technical experience can aid
    in workfl ow management and provide ana-
    lyst training.
    Having a well-integrated, easy-to-use
    case-management system that doesn’t get
    in the way of investigations and seamlessly
    interacts with other SOC tools is key. This
    tool ideally provides metrics on how effec-
    tively your SOC monitors, detects, and
    contains cases and will allow an organiza-
    tion to identify gaps in people, processes,
    and technologies.
    Standardizing your standard operating pro-
    cedures. Successful implementation also
    demands accurate and up-to-date docu-
    mentation. This includes documentation on
    network architecture, standardized operat-
    ing procedures (SOPs), and point-of-contact
    lists. If the SOC is considered the “heart”
    of the CFC, then SOPs act as its beat, guid-
    ing analysts in situations ranging from col-
    lecting forensic evidence to stopping data
    exfi ltration.
    These procedures change as new technol-
    ogy and organizational structures are imple-
    mented. Many organizations fail to update,
    train, and test their staff and leaders on
    SOPs, hurting their response times and con-
    tainment metrics.
    The bottom line. The SOC provides core
    security functions within the CFC and can
    achieve effi ciencies through close integration
    with other teams such as CTI and TDO.

    181 ■
    Oftentimes, business decisions have to be
    made without all the information. An under-
    standing of the threat landscape can help to
    make these business decisions, however. For
    example, attacks on organizations in related
    industries can serve as an indication that
    your business might soon be targeted (or has
    already been targeted).
    Although the SOC team is your organiza-
    tion’s fi rst line of defense, it can operate more
    effectively and effi ciently with the support of
    CTI. Your security team will handle a wide
    array of potential threats and must be able to
    quickly triage events, determine the threat
    level, and mitigate incidents. CTI can help
    SOC analysts to prioritize these alerts, can aid
    in investigations, and can help SOC analysts
    attribute malicious activity to specifi c threats
    or threat groups. Over time, by leveraging
    technical intelligence the SOC will develop a
    stronger understanding of the threats they
    face, enabling them to act more quickly. The
    TDO component of SOC will also closely
    coordinate with CTI to conduct analysis and
    develop creative detection mechanisms.
    The bottom line. Real, human-developed
    Cyber Threat Intelligence will enable your
    organization to pre-empt threats, assess
    risk, and take appropriate defensive actions.
    Benefi ts such as avoiding the cost of poste-
    vent recovery and remediation, and pre-
    venting the theft, destruction, and public
    release of critical data, make Cyber Threat
    Intelligence critical to your organization.
    ■ Conducting Red Team exercises to “stress-
    test” and strengthen your Cyber Fusion
    A fundamental question for every business
    is: Will your cybersecurity organization be
    ready when an attack comes? An important
    means of assessing and “stress-testing” your
    CFC is to actively attack it. Through coordi-
    nated Red Team exercises, your CFC per-
    sonnel can learn to detect and respond to a
    variety of threats.
    Simulate threat actors’ TTP. Red Team oper-
    ations will ideally be designed to simulate
    the tactics, techniques, and procedures of
    threats that your CTI team has assessed to be
    reports (highlights on relevant threats), and
    executive briefs (assessments on major and
    specifi c cyber issues for C-suite stakehold-
    ers). Depending on the audience, other tech-
    nical or nontechnical reports can also be
    Cyber Threat Intelligence is relevant. For
    many organizations thresholds for relevan-
    cy are tricky to defi ne, especially when
    media reports constantly warn about a
    range of threats. A cyber breach in a distant
    industry—even a major one—may not con-
    cern you as much as a breach within your
    own sector; a vulnerability in a technology
    platform you don’t use is obviously less
    important than a potential zero-day vulner-
    ability in your enterprise-enabling plat-
    form. Relevant threat intelligence produces
    valuable insights on not only issues occur-
    ring in the global business environment but
    also on specifi c issues within your industry
    and related to your IT environment. Even
    further, it strives to give you unique insight
    into specifi c adversaries targeting your
    organization or peers, by assessing their
    intentions and capabilities.
    Cyber Threat Intelligence is actionable.
    Actionable threat intelligence is created
    when analysts fi lter through large volumes
    of data and information (from human sourc-
    es, technical feeds, criminal forums, etc.),
    analyze why specifi c pieces of information
    are relevant to your organization, and com-
    municate how that information can be used
    by various stakeholders. C-suite executives
    need strategic “big picture” intelligence to
    inform business decisions such as risks asso-
    ciated with an increasingly global IT foot-
    print. On the other hand, your SOC, TDO,
    and ASR teams need tactical and technical
    intelligence to support current investiga-
    tions, create detection logic, and prepare for
    potential attacks. Technical intelligence will
    also be used to determine if certain mali-
    cious actions or indicators have already been
    present on your network.
    Strategic and tactical threat intelligence.
    Today’s corporate leaders face a serious
    challenge in that it is not always possible to
    accurately predict a cyberattack or its effects.

    ■ 182
    strained—no SOC likes to lose, and often-
    times the Red Team has the advantage. This
    can make after-action review of an incident
    stressful for both teams. However, a healthy,
    competitive relationship between the SOC
    and Red Team can foster improvements in
    the CFC, particularly in detection and
    response capabilities. Although the SOC and
    Red Team functions contrast, their missions
    are the same: to protect the organization and
    improve its security capabilities.
    Implementation of Red Team operations
    should therefore emphasize the interde-
    pendency between the SOC and Red Team
    mission. The Red Team should assist the
    SOC during remediation efforts to ensure
    any uncovered vulnerabilities are no longer
    susceptible to exploitation.
    The bottom line. Fundamentally, Red Team
    design and implementation takes a human-
    centric approach. The benefi ts of placing your
    “attackers” in close (physical or logical) prox-
    imity to your SOC analysts cannot be under-
    stated. SOC analysts learn to develop an
    appreciation for the fact that they are fi ghting
    people who make decisions to achieve an
    objective—it’s not just about the malware.
    ■ Reducing your organization’s attack surface
    Efforts to protect your organization will be
    signifi cantly diminished if your IT systems
    have easily exploitable vulnerabilities, unnec-
    essary services, and nonessential assets. On
    the other hand, shutting down all protocols,
    services, and data resources is not a viable
    option. Thus, the goal of Attack Surface
    Reduction (ASR) is to close all but the required
    doors to your technical infrastructure and
    limit access to those doors through monitor-
    ing, vulnerability assessment/mitigation,
    and access control.
    The ASR team is dedicated to identifying,
    reducing, and managing critical vulnerabili-
    ties, services, and assets, while also focusing
    on preventing the introduction of vulnera-
    bilities via improved hardening procedures.
    Understanding and prioritizing your “attack
    surface.” Implementing ASR is all about iden-
    tifying and understanding your most critical
    business applications and services—the
    a risk to your organization. Your SOC could
    also be a valuable source of input as you
    determine how to implement your Red Team
    operations. What types of threats does your
    SOC regularly observe? More important,
    what types of threats does your SOC typi-
    cally not see? Does your SOC fi nd that there
    are gaps in detection? What does your SOC
    think they detect/mitigate well and is worth
    testing? Where does your SOC have limited
    detect/mitigate capabilities?
    It is the Red Team’s responsibility to test
    these questions and the limits of your SOC
    and broader CFC. For example, if it is known
    that the SOC rarely encounters web shells—
    a type of malware installed on web servers—
    your Red Team may choose to directly attack
    a web server.
    An important aspect of a Red Team
    operation is that only select leaders are
    aware of operations (often referred to as
    the “white team”), adding to the realism of
    the event. This implementation allows
    those who are aware to observe the event
    as it unfolds, particularly how teams inter-
    act with each other, how information is
    passed along, how stakeholders are
    engaged, and how the teams handle a vari-
    ety of attack scenarios. These leaders can
    also help to scope Red Team activities to
    ensure no critical data or operations are
    actually compromised or exposed.
    (Remember to loop in the legal department
    prior to the exercise as well.)
    After-action improvements. The end result
    of a Red Team activity should be valuable
    insight your security team can use to
    improve its capabilities. For example, during
    a web server attack exercise, the CFC will
    need to evaluate how it handled the inci-
    dent. At what point did the SOC detect the
    attack? Are there changes that could be
    made in how security tools are confi gured to
    improve future detection of this type of
    attack? These sample questions frame the
    improvements that can be implemented
    within the cybersecurity organization.
    The nature of the Red Team’s operations
    means that communication between the
    SOC and Red Team can sometimes be

    SecurityRoundtable.org 183 ■
    Organizations require continuous scans and
    costly-to-maintain confi guration manage-
    ment databases (CMDB) to track and ensure
    the attack surface hasn’t expanded beyond
    the organization’s acceptable risk level. And,
    new exposures often emerge throughout the
    course of normal business as new IT systems
    are introduced or upgraded.
    While there are many technologies avail-
    able to aid organizations in managing vul-
    nerabilities and assets, human analysts can
    leverage contextual understanding of vul-
    nerabilities and the attack surface in ways
    that scanning software cannot provide.
    Experienced ASR security professionals—
    who possess a deep understanding of network
    engineering, IT concepts, and security—are
    able to synthesize disparate pieces of informa-
    tion that can point to a previously undetected
    or contextually important attack vector.
    The bottom line. Attack Surface Reduction
    enables organizations to proactively reduce
    security vulnerability-related risk prior to
    implementation and to mitigate existing and
    other inevitable risks. Importantly, the ASR
    function is designed so that humans comple-
    ment the technology to minimize the attack
    surface to an optimized level that balances
    security risks and day-to-day realities of
    enterprise business operations.
    ■ Cyber Fusion Center attention
    The seemingly endless string of breaches
    across major U.S. sectors—fi nance, technol-
    ogy, manufacturing, and others—leaves
    C-suite executives wondering, “Will we be
    next?” or even, “Have we already been
    breached?” New tools, technologies, and
    data sources may help in preventing an
    attack, but threat actors are clearly capable of
    scaling the castle walls, or forging the castle
    moat. Yet by developing a Cyber Fusion
    Center, organizations develop the speed, col-
    laboration, coordination, information fl ows,
    and C-suite awareness necessary to not only
    survive but thrive.
    “crown jewels”—including their functions,
    supporting infrastructure, scope, and inherent
    vulnerabilities. This process entails a series of
    vulnerability scans, security documentation
    review, architecture assessments, host discov-
    ery scans, nonintrusive penetration tests, and
    targeted interviews with IT personnel.
    Next, the ASR team should prioritize each
    asset, considering their critical value to oper-
    ations and the ability for the most relevant
    threat actors—as assessed by your CTI
    team—to leverage these assets in an intru-
    sion. In addition, the impact of these attacks
    must be considered. The assets that are most
    likely to be the victim of a high-impact attack
    or leveraged in a high-impact attack (such as
    Adobe Flash) should receive the highest pri-
    ority, most robust security controls, and
    attention from the CFC.
    More than just patch management. While
    vulnerability and patch management is a core
    ASR function, achieving a vulnerability-free
    organization is not a realistic goal.
    Vulnerabilities must be identifi ed and man-
    aged appropriately—keeping a focus on pre-
    venting and quickly responding to the most
    critical. Continually improving deployment
    and hardening procedures, especially for
    publicly facing services and services that may
    permit attackers to access high-trust zones, is
    a critical ASR process for facilitating preven-
    tive measure and effective mitigation timing.
    As such, the ASR function should be
    ongoing. ASR closely collaborates with other
    CFC functions, especially CTI and TDO,
    which can develop rules to detect exploita-
    tion of new vulnerabilities. For example, CTI
    may become aware of new vulnerabilities
    that threat actors are leveraging. ASR will
    work with CTI to prioritize the most relevant
    vulnerabilities based on reports of their
    exploitation “in the wild.”
    A highly technical function that demands
    strong human analysis. Maintaining complete
    asset awareness is increasingly diffi cult in
    today’s dynamic business environment.

    Electronic version of this guide and additional content available at: SecurityRoundtable.org
    Design best practices

    187 ■
    Intercontinental Exchange & New York
    Stock Exchange – Jerry Perullo, CISO
    What are they after?
    A threat-based approach to
    cybersecurity risk management
    Given fi nite resources and the ongoing threat of the “next
    big hack,” cybersecurity is not the place to let a thousand
    fl owers bloom. How does a governance body that is bal-
    ancing this complex topic with so many other complex
    risks pick the right questions to ask? The spectrum of
    popular guidance ranges from an end-to-end program
    that generates hundreds of inspection points to a kneejerk
    reaction to the latest headlines. Distilling the truly critical
    areas of focus requires a balanced approach that is well
    served by beginning with the end in mind and asking,
    “What are they really after?”
    Traditional guidance has centered security program
    construction and audit on comprehensive standards-based
    frameworks. Although the popularity of specifi c standards
    has waxed and waned, general principles have revolved
    around identifying assets, establishing a risk management
    program around those assets, and establishing preventa-
    tive, detective, and corrective controls to protect those
    assets. There is nothing wrong with this recipe at the tacti-
    cal level. In fact, boards should expect a continuous pro-
    gram cadence around this type of strategy and expect to
    see third-party auditors, customers, vendors, and regula-
    tors use this approach in examination. Controls should be
    mapped to an established framework and any gaps or
    vulnerabilities identifi ed. The challenge, however, is that
    this produces a massive corpus of focus areas and controls
    that cannot be digested in a single targeted governance
    session. And fi nally, it does not produce a ready answer to
    the top board concern: “How could we be hacked?”
    Likewise, reacting to headlines and rushing to establish
    the controls and technology cited in the latest news story
    will divert all resources to someone else’s vulnerability,
    whereas yours may be very different. Simply asking,
    “Could what happened last week happen to us?” may at
    best result in a false sense of confi dence or a mad dash to

    ■ 188
    allow identity theft. Capturing 100 or 1000 is
    not, however, alluring enough. Do you have
    bulk card or PII data? Card processors, retail
    institutions, and health-care providers are
    clear targets for this type of penetration. If
    this is your world, the major breaches of the
    day serve as case studies. Lessons learned in
    these areas lead to an emphasis on the follow-
    ing questions:
    � Do we know all the places where these
    sensitive data live, and have we limited
    it to the smallest set of systems possible
    � Is access to the systems housing this data
    tightly controlled, audited, and alarmed,
    including via asset-based controls?
    � Is this data encrypted in a manner that
    would thwart some of the specifi c tactics
    observed in major breaches?
    If you do not hold easily monetized data,
    these questions may not be the right place to
    start. Again, this does not mean that data
    theft is acceptable in any organization.
    Confi dential email, intellectual property,
    customer login credentials, and trade secrets
    are some of the many examples of data we
    must protect. Close examination often shows
    that ring-fencing, asset-focused controls,
    encryption, and other concentrations born of
    the rash of recent card and PII breaches may
    not be appropriate for more common and
    less frequently targeted data, however. If
    the data you are protecting are much more
    valuable to you than to an assailant, tradi-
    tional controls such as company-wide access
    control, permission reviews, and identity
    management are probably the right empha-
    sis and should not be neglected in pursuit of
    stopping a phantom menace.
    ■ Threat category 2: Activism
    Is your organization the target of frequent
    protest or activism? Perhaps the issue is cli-
    mate change. Perhaps it is labor relations.
    Perhaps you are caught up in the storm of
    anti-capitalism, anti-pharma, anti-farming,
    or simply high profi le. You may or may not
    know if there are groups with an ideological
    address a gap that isn’t relevant to your
    organization. Vendors cannot be faulted for
    preying on this tendency, and the result is a
    barrage of solutions to the last headline’s
    problems: “You desperately need encryp-
    tion.” “You need behavioral technology to
    baseline administrator activity and to alert
    unusual access times or locations.“ “You
    need to give up on securing everything and
    only focus on the critical assets.” “You need
    stronger passwords.” All of these solutions
    have their place, but if they are not respon-
    sive to the threats facing your business, they
    may cause more distraction than protection
    based on your unique requirements.
    Identifying a relevant and reasonable
    agenda for a governance session requires a
    targeted and balanced approach. Let us
    group the major cyber headlines of the last
    decade into several large categories. With a
    fi nite grouping of threats, we can begin to
    model what each threat would look like to
    your organization, which leads to an assess-
    ment of likelihood and impact. With this
    picture of viable threats, the board can hone
    in on specifi c questions that will produce the
    most value. By all means, all of the threats
    listed below should receive treatment in
    some capacity in any cybersecurity plan, but
    prioritizing which are most relevant to your
    organization will expose the most valuable
    areas to explore with limited time. Further,
    identifying business practices that expose
    you to a particular threat category may lead
    you to reconsider them in light of new costs
    that were not included in previous assess-
    ments. The calculus around maintaining a
    lower profi le or outsourcing targeted data
    may change when you factor in cybersecu-
    rity risk.
    ■ Threat category 1: Data theft
    Do you manage assets that can be easily mon-
    etized? Credit numbers and social security
    numbers—in bulk—are the drivers behind
    many newsworthy breaches. Criminals have
    established the proper fencing operations and
    can justify enormous risk and effort to cap-
    ture millions of card numbers or pieces of
    personally identifi able information (PII) that

    189 ■
    If this type of threat is not applicable to your
    organization, focusing controls and review
    on mitigating such attacks may not be the
    best allocation of resources.
    ■ Threat category 3: Sabotage
    Are you a provider of critical infrastructure?
    Do you or your key executives issue politi-
    cally charged statements publicly? Would
    the interruption of your business further an
    extremist objective? Although these threats
    require more sophisticated tactics and more
    time to perpetrate, they often bring highly
    motivated and coordinated threat actors.
    Adversary objectives in this area usually go
    well beyond website attacks. Physical con-
    trol systems, data integrity, or even the func-
    tionality of employee workstations may be
    the target in this type of attack. Although
    there are many vectors for this type of attack
    and several are often used in conjunction, a
    common theme quickly becomes targeting
    employees individually. Social engineering
    and phishing preys on common habits and
    assumptions to dupe people into disclosing
    a password, clicking a malicious web link,
    or opening an attachment. These attacks can
    be the most diffi cult to defend against, but
    their reliance on persistent access and a
    longer lifecycle to build towards the fi nal
    goal makes detective and corrective controls
    more valuable and decreases reliance on
    absolute prevention. Additionally, the actors
    involved and potential impact to national
    interests likely make mitigation assistance
    available to you if you focus on detection
    and have the right contacts in place. Good
    questions to ask if you are at risk of this
    category of attack include the following
    (and employees includes contractors and
    � Do individual employees recognize the
    importance of their role in securing the
    organization and what an attack may
    look like?
    � Are employees routinely reporting
    suspicious activity?
    � Are employees educated and incentivized
    to act responsibly with regard to cyber?
    motivation to put a black eye on your busi-
    ness. Cyber opens up a whole new realm of
    ways for people to accomplish this, and
    often with anonymity. When attacks fall into
    this category, the most likely impact is an
    action that can be touted in public. This usu-
    ally means one of two things: Denial of
    Service (DoS) or defacement. The former
    category will attempt to demonstrate your
    powerlessness by rendering a component of
    your business unavailable to your customers
    or the general public. Although attacking
    customer access or more internalized sys-
    tems may be more damaging in reality,
    remember that the goal is to make a splash
    on a big stage with minimal effort or expo-
    sure. More often than not, that means attack-
    ing your public website. The same target
    (plus social media accounts) is most com-
    mon for defacement attacks. The only thing
    more satisfying to an activist than rendering
    your service unavailable is replacing it with
    a pointed message. High-profi le attacks in
    this category include the near-incessant
    Distributed Denial of Service (DDoS) attacks
    against major banks, particularly those with
    names evoking western countries. Targets of
    defacement include Twitter and Facebook
    profi les of targeted companies and govern-
    ment entities. If this type of threat is likely to
    be pointed at your organization, good ques-
    tions to ask include the following:
    � Can we sustain a DDoS attack on the
    order of magnitude recently observed in
    the wild?
    � If we have a DDoS mitigation plan, how
    long would it take to activate during an
    attack? Is an outage for this duration
    acceptable, or would it be considered a
    failure in the public eye?
    � Are we continuously scanning our primary
    website(s) for common vulnerabilities
    that may allow unauthorized changes?
    � If our website were defaced, how long
    would it take to restore?
    � Are credentials to offi cial company social
    media accounts tightly controlled by a
    group outside marketing that is more
    security conscious?

    ■ 190
    advanced threats. At a minimum, automated
    attacks look to procure access to your IT envi-
    ronment so that your computing resources
    can be made available for more nefarious
    aims. Even if you do not host critical infra-
    structure or easily monetized data, commod-
    ity threats look to compromise your comput-
    ers so that they can be used as agents of more
    sophisticated attacks. Malware looks to enlist
    your computing, storage, and bandwidth to
    help criminals blast out junk email, store
    pirated media, or contribute to a Denial of
    Service attack. Attackers in this category do
    not care (or often know) if your computers
    belong to a fi nancial services fi rm, manufac-
    turer, university, home network, or hospital.
    Protecting your organization from these
    common attacks requires being less exposed
    than the next target. Ask yourself:
    � Have we identifi ed a role in our
    organization that is responsible for
    � Are only absolutely required services
    exposed to the Internet?
    � Are PCs and email servers protected
    from common viruses and malware in an
    automated fashion?
    � Does our corporate email employ controls
    to fi lter out the most common virus and
    spam campaigns?
    � Does our corporate Internet access
    incorporate controls to block access to
    malicious websites?
    One special form of opportunistic attack
    involves ransom. Some malware encrypts
    the content of infected computers so that it
    becomes unavailable until a payment is
    made. This type of attack can be crippling. In
    addition to the preventative controls out-
    lined above, you should ask the following:
    � Are our fi le servers backed up and tested
    regularly, and could we recover quickly if
    all current data were unavailable?
    � Have we, via policy and practice,
    established the principle that PCs and
    laptops are disposable, that data on these
    � Are systems detecting suspicious employee
    behavior that may indicate credentials
    under the control of an outsider?
    � Has contact been established with incident
    response fi rms and law enforcement, and
    could they quickly be mobilized if a
    compromise is detected?
    ■ Threat category 4: Fraud
    Do you operate a system that makes or pro-
    cesses payments? Although any pay-for-
    service you offer may be the target of some-
    one looking for a free ride, nothing attracts
    the sophisticated criminal element like cash.
    If you offer the ability to move money, you
    should have a focus here. Although fraud is
    certainly not a new challenge, Internet con-
    nectivity has certainly brought it to new
    levels. If this is relevant to your organiza-
    tion, you have likely been dealing with the
    ramifi cations long before cyber considera-
    tions were added. The following questions,
    however, may be helpful to ensure cyberse-
    curity efforts are aligned with traditional
    fraud protections:
    � Have we deployed and enforced two-
    factor authentication such as text
    messages, mobile phone apps, or physical
    tokens to require our customers to have
    more than a username or password to
    � Are we using adaptive authentication
    to identify suspicious locations, access
    times, or transaction patterns in addition
    to classic credentials?
    � Are we tracking and trending the sources,
    frequency, and value of losses?
    � Are we working closely with peer
    institutions and competitors to share
    threat intelligence and identify common
    patterns we should detect and/or block?
    ■ Threat category 5: Commoditized hacking
    Although specialized threats are associated
    with specifi c targets, all organizations have
    exposure to the most common family of com-
    moditized threats. These threats are oppor-
    tunistic and warrant different controls than

    SecurityRoundtable.org 191 ■
    around mission critical infrastructure and
    data. Attention to governance has ramped up
    dramatically in a short period, and it can be
    diffi cult to sift through the advice of experts.
    Investing time in analyzing threats and iden-
    tifying what assets adversaries are truly after
    is a critical fi rst step in establishing an effec-
    tive governance policy around cybersecurity.
    devices should not be relied upon, and
    that network storage should be used to
    house any critical data?
    ■ Conclusion
    Although cybersecurity is a relatively new
    fi eld, it has already grown into an expansive
    area requiring monitoring and controls

    193 ■
    Palo Alto Networks Inc.
    Breaking the status quo: Designing
    for breach prevention
    ■ Today’s reality and commoditization of threats
    The statistics regarding the success of advanced
    cyberthreats paint a very grim picture. The increasing
    speed at which new security threats appear, and the
    growing sophistication of criminal hackers’ techniques,
    make fi ghting cybercrime a constant challenge. A recent
    study by Cyber Edge found that 71 percent of the secu-
    rity professionals polled said their networks had experi-
    enced a breach, up signifi cantly from the previous year
    (62 percent). And half of those respondents felt that a
    successful cyberattack against their network was likely in
    the next 12 months, compared to just 39 percent in 2013.
    Unfortunately, there isn’t a week that goes by these
    days when we aren’t learning about some new data
    breach. To say that keeping up with attackers’ evolving
    techniques and advanced threats is diffi cult is an under-
    statement. These attacks come from multiple angles,
    through the edge of the network and directly at the users
    of our digital infrastructure. Not only are they more tar-
    geted in nature, the mechanisms that attackers use increas-
    ingly utilize a growing pool of software vulnerabilities.
    Some vulnerabilities are known only to the attacker,
    referred to as zero-days. Others are known to the general
    public but have yet to be fi xed by the software vendor. A
    fact attackers are very much aware of.
    Additionally, new attack methods and malware are
    shared readily on the black market, each more sophisticat-
    ed than the last. The cat-and-mouse game between attack-
    ers and defending organizations is no longer a competition.
    Attackers have not only pulled ahead, they’ve gained so
    much distance that most security teams have given up on
    the notion that they can prevent an attack and are instead
    pouring investment into trying to quickly detect attacks,
    and defi ning incident response plans rather than trying to
    stop them. Why? Because legacy security offerings consist

    ■ 194
    � blocking the different techniques attackers
    might use to evade detection and establish
    command-and-control channels
    � preventing installation of malware—
    including unknown and polymorphic
    � blocking the different techniques that
    attackers must follow in order to exploit
    a software vulnerability
    � closely monitoring and controlling data
    traffi c within the organization to protect
    against the unabated lateral movement
    when legitimate identities are hijacked.
    ■ Cyberattack lifecycle
    Despite the headlines, successful cyberat-
    tacks are not inevitable, nor do they happen
    by magic. Often it is a ‘window’ that is left
    open or a ‘bag’ that is not screened that lets
    an attacker slip into a network undetected.
    After they are inside a network, attackers
    will sit and wait, patiently planning their
    next move, until they are sure they can
    reach their objective. Much like a game of
    chess, it is only at the end of a long and
    logical series of steps that they will try to
    act. Knowing the playbook of a cyberattack
    can help us disrupt and prevent not just
    well-understood attacks but also highly
    sophisticated new attacks used by advanced
    Despite different tools, tactics, and proce-
    dures used by an attacker, there are certain
    high-level steps in the attack lifecycle
    that most cyberattacks have in common.
    Traditional approaches to security focus on
    installing a feature to disrupt only one point
    along this lifecycle. This approach often
    comes from the fact that different parts of an
    IT security team have different objectives:
    network administrators care about connec-
    tivity and the fi rewall, info security analysts
    care about analytics, and so forth. They
    seldom have to really work together in a
    coordinated manner because this approach
    was previously useful at stopping low-level
    threats that involved opportunistic target-
    ing, such as the infamous email scam from a
    foreign prince needing to transfer $1 million
    to the U.S.
    of a set of highly disjointed technologies that
    only allow detection of attacks once they are
    already on the network or endpoint.
    Organizations cannot hire their way out
    of this problem by throwing more people at
    navigating a legacy architecture or making
    up for the inherent gaps between the siloed
    technologies. Instead, organizations should
    be considering next-generation technology
    that natively integrates security to deliver
    automated results, preventing attackers
    from achieving their ultimate objectives.
    Given the sheer volume and complexity of
    threats, it’s important to use automation to
    accelerate detection and prevention with-
    out the reliance on a security middleman.
    Despite the growing cybersecurity chal-
    lenge we are all facing, we cannot give up on
    our digital infrastructure. Customers are
    becoming more and more reliant on the
    Internet and our networks to do business
    and access commercial services. They use
    these systems because of the trust they place
    in them. This trust underpins everything
    they do online and extends to an organiza-
    tion’s brand and place in the market. Legacy
    security approaches that focus only on detec-
    tion and remediation, or rely on a series
    of disjointed tools, abandon this trust and
    can introduce signifi cant risk by failing to
    consider how to prevent cyberattacks in the
    fi rst place.
    A new approach is needed in order to
    prevent modern cyberattacks. This new
    approach must account for the realities that
    today’s attacks are not only multidimensional
    in nature but also use an increasingly sophis-
    ticated set of techniques that are constantly in
    a state of change. As these techniques evolve,
    the risk of breach increases, and, as we all
    know, an organization is only as strong as its
    weakest entry point. Therefore, an effective
    strategy must work to disrupt an attack at
    multiple points, including:
    � developing a Zero Trust security posture
    that focuses on only allowing legitimate
    users and applications, as opposed to
    trying to block everyone and everything
    that is bad

    195 ■
    intellectual property and fi nancial informa-
    tion, disrupt digital systems, or cause embar-
    rassment. It is against these patient and
    persistent advanced adversaries that tradi-
    tional single-point approaches fail. However,
    by targeting every step of an attacker’s play-
    book, it is possible to architect a solution that
    offers much greater odds at stopping the
    attacks before they can reach their objective.
    At the very least, putting preventative meas-
    ures in place that take the complete lifecycle
    into consideration will raise the cost for the
    attacker, potentially forcing him to look else-
    where for an easier victim. Let’s take a look
    at the steps an attacker goes through to get
    into and out of a network.
    However, today’s attacks have become
    more and more sophisticated as advanced
    tools have proliferated and as effective attack
    strategies have been developed and shared
    among criminal and nation-state adversaries.
    These attacks are often called advanced per-
    sistent threats (APTs), so named because they
    use advanced tools and persistently target an
    organization again and again until they get
    in. They are patient and stealthy, preferring
    to forego a quick boom and bust for a longer
    payoff of high-value information.
    While APTs used to be the domain of
    nation-state espionage, today organizations
    large and small face these high-level threats
    from actors seeking to steal sensitive
    Advice along the cyberattack lifecycle
    Reconnaissance. Just like burglars and thieves, advanced attackers carefully plan their attacks.
    They research, identify, and select targets, oftentimes using phishing tactics or extracting
    public information from an employee’s public online profi le or from corporate websites.
    These criminals also scan for network vulnerabilities and services or applications they can
    � Even job websites can be a gold mine of information. If you are looking to hire a new
    engineer who is familiar with a certain security product, an attacker can deduce what
    you are using to protect your network and will know where common gaps are in your
    � You can’t stop all reconnaissance activity, but you certainly shouldn’t make it any
    easier for the attacker! People and processes are just as important to security as
    technology. Good training and strong security practices will help limit reconnaissance
    and harden your security profi le. You should be aware of what your adversary can
    learn from your corporate website and ensure that members of your organization with
    high-level access receive training to be security conscious.
    � Finally, there are many services that offer advanced ‘red-team’ exercises to help you
    identify weaknesses in your security posture. These simple steps can also put in place
    policy ‘trip wires’ that can alert you to unusual activity that may indicate an advanced
    actor is interested in you.
    Weaponization and delivery. As we move to the next stage of the cyberattack lifecycle, tech-
    nology becomes even more critical to preventing advanced threats. The hacker must choose
    his method for gaining access onto your network. This access can be digital, or even physical,
    but is primarily intended to gain a foothold from which to plan the assault and achieve the
    attacker’s objectives.
    Spear phishing
    � With the information gained from their reconnaissance, the attackers have to determine
    which methods they must use to penetrate your network. They often choose to embed
    intruder code within seemingly innocuous fi les like a PDF document or email message.
    They may also seek to use highly targeted attacks to catch specifi c interests of an

    ■ 196
    Advice along the cyberattack lifecycle—cont’d
    � Spear phishing is by far the most commonly used tactic because it’s simple and
    effective. An attacker will use information gathered during the reconnaissance phase
    to craft an email with a malicious attachment for a specifi c user he believes has access
    to sensitive credentials or information.
    � Many organizations have begun training their employees to spot these attacks by
    sending test emails that can track who opens them. Over time they can see which
    departments continually fall for these attacks and target training there.
    � However, we are all conditioned to read emails and open attachments if they seem
    relevant to our positions. Even with the best training, a well-crafted spear phishing
    email that appears to come from a family member, friend, or boss can trick the
    most seasoned security veteran. It’s vital to ensure that you have technical security
    measures as well to mitigate any malicious malware that might ride email into your
    Watering hole
    � Another approach to gaining access is known as watering hole attacks. In this
    method the attacker will set up a fake website that downloads malicious code to
    any visitor, then direct their victims to it. When a user visits the website, a software
    exploitation kit installs malware on the victim’s computer, which then reports
    back to the attacker so he knows who he’s infected and can access their system to
    steal data.
    � Watering hole attacks are harder to pull off because they require compromising a
    separate web server, but they can be very effective if a company is watching for
    malicious fi les in email. Traditional security products do not always prevent their
    users from visiting malicious websites. However, advanced approaches will fi lter
    known malicious addresses to keep users from becoming a victims of a ‘drive-by
    Exploitation. Once attackers gain access ‘inside’ an organization, they can activate attack
    code on the victim’s computer (also known as a ‘host’) and ultimately take full control.
    � To gain full control over a victim, specialized programs exploit vulnerabilities in
    existing software to install themselves as legitimate users. Vulnerabilities are usually
    old bugs that were not caught during the original writing of the code. Sometimes they
    are known bugs that have not been repaired, or ‘patched’; sometimes they are as of
    yet unknown to anyone except the attacker. These unknown vulnerabilities are called
    zero-days because they are not found by the victim until the fi rst day he realizes he has
    been penetrated by an attacker.
    � As noted earlier, zero-days are the most nefarious of threats. Luckily, true zero-
    days are also the most rare. When they are used, however, it generally means that
    no one else is protected from them. Because no one is patched for it, if an attacker
    moves quickly, he can take advantage of the same vulnerability on many, many
    � If you can’t catch an unknown threat, you can at least prevent an attacker from
    using that vulnerability to cause damage. Because attackers have similar goals, such
    as stealing or damaging important fi les, there are only so many techniques they
    can use after they have penetrated a system to achieve their end goals. Advanced
    security software will hunt for malware that uses zero-days by searching for and
    stopping common techniques attackers use after they have gained access to your

    197 ■
    Advice along the cyberattack lifecycle—cont’d
    � Common vulnerabilities are being found and fi xed every day. Your organization
    should also have a process in place to regularly update and patch all your software
    and hardware. However, sometimes these new versions and updates can cause
    existing systems to malfunction. This will often leave IT teams hesitant to update
    systems until a new patch can be tested and can cause delays that leave you with
    vulnerabilities known to the entire world. While you should always lean toward
    patching and updating as soon as possible, the balance of security and operability
    must be viewed through your own business risk management practices.
    Installation. As a fi rst order of business, advanced attackers will seek to establish themselves
    as securely and quietly as possible across your network.
    � They do this by taking advantage of the trust of the digital systems they are working
    in. Often an attacker will make himself an administrator on a computer and then try
    to infect other users in order to steal their digital identities. He will play this game
    of laterally escalating access privileges to gain a higher and higher level of control of
    your systems. Along the way the attacker will also open backdoors that allow him to
    connect back into your network even if he is eventually caught and shut out. This is
    why it can be especially diffi cult to fully remove an advanced actor from a network.
    � It seems strange, but many of the tools attackers use can be found freely online or for sale
    on the Internet. Tools are viewed just like a hammer and nails, where on the one hand
    security professionals use them to test systems and build stronger security, but on the
    other hand they can be used as weapons. These ‘off-the-shelf’ security tools, while highly
    capable, can often be found by traditional security methods such as antivirus software.
    � However, more advanced actors will build their own custom tools, such as remote
    access tools (RATs), that are undetectable by antivirus software. In fact, some tools
    commonly shut off antivirus software as one of the fi rst steps of installation. These
    tools require a larger investment from the attacker and will primarily be designed to
    gain a foothold as a seemingly legitimate user on the network. From there the attacker
    can act like a normal employee and use authorized applications such as fi le-sharing
    software or internal email to cause mischief.
    Command and control. Gaining a foothold in a network is of no use to attackers if they can’t
    control their attack.
    � An advanced actor knows that he is likely to be discovered at some point and must be
    ready to improvise by hiding and running from security teams or software. To do this,
    an attacker establishes a command-and-control channel back through the Internet to a
    specifi c server so he can communicate and pass data back and forth between infected
    devices and his server.
    � The most commonly used channel for attackers to communicate to their tools is
    through regular Internet traffi c (using hypertext transfer protocol, or HTTP). Usually
    their communications will pass through defenses of traditional security tools as they
    blend in with the large volume of traffi c from legitimate users.
    � The attacker’s tools will periodically phone home, typically referred to as beaconing,
    to obtain the next set of commands. Beacons can also contain reconnaissance
    information from the compromised target, such as the operating system confi guration,
    software versions, and the identity of users who are logged on to the network. In
    very complicated networks, this information can allow an attacker to quietly burrow
    deeper and deeper. Clever malware also moves beyond simple requests for command
    and control and tries to emulate human behavior by using email or social networking
    applications to receive its attacker commands.

    ■ 198
    Advice along the cyberattack lifecycle—cont’d
    � If you treat your network with zero trust, as though it might already be breached, you
    can start to lock down unnecessary pathways for attackers to communicate and move
    around. Segmenting networks and building internal controls on applications can act
    like a fi rebreak, keeping an attacker from spreading to other parts of your network.
    Actions on the objective. Attackers may have many different motivations for breaching your
    network, and it’s not always for profi t. Their reasons could be data exfi ltration, defacement
    of web property, or even destruction of critical infrastructure.
    � The most common goals of attackers often involve fi nding and exfi ltrating your data
    without getting caught. During this late stage, the work is usually done by an active
    person issuing commands to his tools on your network. He has a goal and a script that
    is followed in a complex process that may last days, weeks, or months, but ends with
    all your sensitive data slipping through a backdoor in your network.
    � This is one of the most diffi cult steps to stop, as an active person can improvise and
    adapt to your security response efforts. While it may seem counterintuitive, it’s
    important to respond with patience when trying to stop an active intruder. A common
    tactic of advanced attackers when they are caught is to ‘smash and grab’; this means
    they will forget about remaining quiet and do whatever they can to achieve their
    objectives, potentially damaging your systems in the process. They can also choose
    to slip deeper into your systems, burrowing in and waiting to reuse one of their
    backdoors to gain entry after you believe you have patched all your vulnerabilities.
    For these reasons, it is critical to have a response plan in place ahead of time so that
    the adversary doesn’t detect signs of panic and get tipped off. If you can discover
    the attacker before he realizes he is caught, you can work to clean up his tools, while
    closing doors and windows he may have used to get in.
    � A strong response plan will also help you prepare in advance for any mitigation efforts
    needed, including the vital step of external relations if it becomes public that you have
    had an incident. Depending on the data that was accessed or stolen, you may have
    regulatory or legal reporting requirements that you will need to be prepared to deal
    with. Even if the attacker is not successful at actually taking data, these requirements
    may still be in place as in many cases you may not be able to determine if data was
    stolen, exposed, or remained untouched.
    Trying to stop an advanced adversary at
    only one point in this lifecycle is an exercise
    in futility. Just like a network has vulnerabil-
    ities and weaknesses, so too does the attacker.
    He will reuse tactics, techniques, and proce-
    dures on multiple victims, establishing pat-
    terns that can be recognized, studied, and
    exploited. But to gain this leverage, a new
    approach to security is needed.
    ■ Why legacy approaches fail
    Most security architectures today resemble a
    set of siloed organizations, processes, and
    technical infrastructure. They have largely
    been assembled like a manufacturing pro-
    duction line, where a series of security events
    roll down a conveyor belt of individual
    point products, while different staff mem-
    bers perform their individual duties. This
    has been the traditional approach to security,
    and historically we’ve been able to use it to
    fend off low-level threats. However, these
    architectures are beginning to show their
    weaknesses as attackers have learned to slip
    between silos. Today we see how costly leg-
    acy systems can be both in their inability to
    prevent targeted attacks and in their unnec-
    essary expense to the organization.

    199 ■
    This essentially allows adversaries to distrib-
    ute malware and steal intellectual property
    through basic applications into which they
    have little or no visibility. We must break
    away from the traditional approach to secu-
    rity that has proven ineffective at stopping
    advanced attacks time and time again.
    Over the last several years in particular,
    there has been a dramatic evolution in both
    the attackers and the techniques they use. By
    many estimates cybercrime is now a nearly
    half-trillion-dollar industry, and like any
    industry, opportunity fuels more investment
    and innovation. The best way to get an
    industry to collapse in on itself is to take
    away that potential for profi t. Therefore, we
    must make it so unbelievably hard for cyber
    criminals to achieve their objectives that
    their only option is to invest more and more
    resources to stage a successful attack, to the
    point that it becomes unprofi table.
    One of the primary strategic failures of
    traditional security architectures is their
    reactive approach. Following the assembly-
    line model, security teams work to read data
    logs about events that happened to their
    network in the past. Since most of these
    teams operate in a siloed manner, these log
    fi les are routinely examined in isolation from
    other critical teams and thus lack important
    context that can be used to quickly detect
    and prevent an attack. Relying on a human
    in the middle of a network’s defenses is too
    slow to be effective against advanced, auto-
    mated hacking tools and creative attackers.
    A secondary strategic failure is a lack of
    attention toward ‘proactive prevention.’
    Organizations often don’t do enough to
    reduce their attack surface, allowing certain
    classes of applications that are unnecessary
    for their business and leaving doors open on
    their network by using port-based policies.
    Tenets of a traditional security architecture
    Limited visibility. You can’t secure what you can’t see. Traditional sensors only seek out what
    they know to be bad, rather than inspect all traffi c to only allow what is good. Your security
    architecture must eliminate blind spots by having the ability to see all applications, users,
    and content across all ports and protocols (the doors and windows of your network) even
    if they are encrypted. It must also have the ability to see and prevent new, targeted attacks
    that are utilizing threats that have never been seen before, such as malware and zero-day
    vulnerability exploits.
    Lacking correlation. If attacks are multidimensional, your defense must be as well. Today’s
    attackers shift techniques while they are working their way into a network in order to step
    over traps laid by them for traditional defenses. In order to fi nd the clues they leave behind,
    your architecture must act like a system of systems where individual technologies work in
    concert to identify and then automatically prevent attacks. Correlating sensors and protec-
    tion makes each element within the system smarter. For example, if a thief has hit multiple
    houses using the same techniques, you will need to adjust your burglar alarm for those
    techniques. In cyberspace, however, this process can be automated to increase the speed of
    detection and prevention.
    Manual response. With attacks evolving at a rapid pace, it’s critical that we wean ourselves
    from relying on the ‘man in the middle.’ Systems focused on detection often throw up
    mountains of alerts and warnings for low-threat items, overwhelming your IT security team.
    An advanced security architecture must employ a system of automation that’s constantly
    learning and applying new defenses without a requirement for any manual intervention. It
    must weed out the congestion automatically, handling 99 percent of low-level threats so you
    can focus your team’s attention on the 1 percent of the highest priority incidents.

    ■ 200
    enabler. By preventing damage to networks
    and theft of sensitive information, vital IT
    resources, people, and time are freed up to
    tackle core business functions. In order to
    shift from a ‘detect and remediate’ stature
    to preventing attacks, business leaders need
    to consider three cybersecurity imperatives:
    1. Process: organize to reduce your attack
    � Modern networks can be a rat’s nest
    of systems and users cobbled together
    from mergers, legacy architectures,
    and prior acquisitions. This confusion
    leaves many points of entry for
    attackers to slip in unnoticed and
    reside on your network for months
    or even years. A critical step to
    preventing advanced cyberattacks is
    to know your network better than the
    attacker does. To do this you must
    work at simplifying your architecture
    down to manageable pieces that can
    be controlled, watched, and defended.
    � A key step in reducing your attack
    surface is to only allow network
    traffi c and communications that are
    required to operate your business by
    utilizing technology that understands
    the applications, users, and content
    transiting your network. This seems to
    be common sense that any unknown
    traffi c could also be hiding malicious
    activity, but often when organizations
    take a deep look at their traffi c, they
    fi nd high-risk applications that they
    had no idea were running on their
    network. Legacy approaches often only
    search to block what is bad, rather
    than allowing only what is good. This
    approach is also known as ‘white
    listing’ and will immediately reduce
    the scope of your security challenge by
    eliminating opportunities for malware
    to get into your network.
    � Another step to reducing your attack
    surface is to segment important
    components of your networks, such
    as data centers. As described earlier,
    advanced actors often seek to break
    Stopping today’s advanced threats lies in
    turning the economics of our reality on its
    head by preventing threats in multiple places
    at each step of the cyberattack lifecycle. This
    requires creating an architecture that can
    detect attacks at every point around and
    within a network, closing any gaps and pre-
    venting them from successfully launching in
    the fi rst place.
    ■ Prevention architecture
    No organization today is immune to cyber-
    attacks. Cyber criminals are ramping up
    activity across the globe and utilizing new
    methods to evade traditional security meas-
    ures. An effective security architecture must
    not only prevent threats from entering and
    damaging the network but also take full
    advantage of knowledge about threats in
    other security communities. Traditional
    solutions typically focus on a single threat
    vector across a specifi c section of the organi-
    zation. This lack of visibility is leaving
    multiple areas vulnerable to attack. In addi-
    tion, these legacy solutions are made up of a
    ‘patchwork’ of point products that make it
    very diffi cult to coordinate and share intel-
    ligence among the various devices.
    As a result, security teams are forced to
    invest more and more time and money in
    detection and remediation efforts, under the
    assumption that prevention is a lost battle.
    These efforts require a time-consuming
    process of piecing together evidence from
    different devices, combing through them to
    discover unknown threats, and then manu-
    ally creating and deploying protections. By
    the time this happens—often days or weeks
    later—it’s too late because minutes or hours
    are all an attacker needs to accomplish his or
    her end goal. This Band-Aid approach
    doesn’t fi x the fundamental problem of
    accounting for the new threat landscape.
    While nothing will stop every attack,
    designing a security architecture with a pre-
    vention mindset (and following some of the
    risk management best practices outlined in
    our chapter, “The CEO’s guide to driving
    better security by asking the right ques-
    tions”) can make cybersecurity a business

    201 ■
    risk. However, by using an integrated
    cybersecurity platform that protects
    across your entire enterprise, your
    defenses can work together to identify
    and close gaps that would be exploited
    by an attacker. Communication is key
    to any strong defense. If your products
    can’t share information on what they
    are seeing, there is no chance to pick
    up clues that might aid in preventing
    an advanced attack.
    � The next step is automating prevention
    measures. Humans have proven time
    and again that we are the weakest link
    in security. Advanced actors are faster,
    more persistent, and stealthier than
    manual response efforts. It just takes
    one overlooked log fi le or one missed
    security alert to bring down an entire
    organization. However, if you have an
    integrated platform that communicates
    visibility across your defenses, it can
    also automatically act on new threats,
    preventing what is malicious and
    Indeterminate what is unknown.
    � Integration should also enable your
    organization’s agility and innovation.
    Business doesn’t stop at the elevator,
    as employees take laptops to work
    from home or use their personal mobile
    devices to access your corporate cloud
    on the road. As your data moves to
    enable your workforce, security should
    go with it. Choose a platform compatible
    with newer technologies such as mobile,
    cloud, and network virtualization.
    3. People: participate in a community that
    shares cyberthreat information.
    � End users cannot be relied upon to
    identify every malicious URL or phishing
    attack. Organizations must educate their
    constituents about what they can do on
    their part to stop cyberattacks. However,
    beyond education, to protect against
    today’s truly advanced cyberthreats,
    we must utilize the global community
    to combine threat intelligence from a
    variety of sources to help ‘connect the
    dots.’ Real-time, global intelligence feeds
    help security teams keep pace with
    into a less secure part of the network
    and then move laterally into more
    sensitive areas. By segmenting the
    most vital parts of a network from
    email or customer-facing systems, you
    will be building in fi rebreaks that can
    prevent the spread of a breach.
    � You also can’t neglect to secure the
    endpoint or individual user. This is
    the fi nal battlefi eld. Originally, anti-
    virus software contained signatures for
    malicious software and could, thus, catch
    most major infections from common
    threats because it knew what to look for.
    However, as we learned earlier, today’s
    attacks can include unknown malware
    or exploits that are essentially invisible
    to antivirus software. This has led to a
    massive decline in the effectiveness of
    traditional antivirus products and a rise
    in a new way of thinking about endpoint
    protection. Rather than looking for
    something that can’t be seen, you can
    reduce the endpoint attack surface by
    preventing the type of actions taken by
    exploits and malware. Stopping the type
    of malicious activity associated with
    an attack is much more effective than
    hunting for an attack that, by nature, is
    stealthy and hidden.
    � Finally, it seems simplistic, but as you
    make investments to re-architect your
    network and reduce your attack surface,
    you have to use all those investments to
    their fullest. Purchasing next-generation
    technology is useless if you don’t
    turn it on and confi gure it properly.
    Establishing a process for staying up to
    date on your security investments is one
    of the most critical habits to form.
    2. Technology: integrate and automate
    controls to disrupt the cyberattack lifecycle.
    � Don’t use yesterday’s technology
    to address today’s and tomorrow’s
    security challenges. As noted earlier,
    legacy security approaches offer
    individual products to be bolted on
    for single-feature solutions. This leaves
    gaps that can be broken by new methods
    of attack, leaving your organization at

    ■ 202
    regulatory requirements or mandatory certifi –
    cations. IT security personnel are often drafted
    from projects that support core business opera-
    tions to work in the ‘dark corners’ of network
    security with a gloomy future of scanning
    thousands of false alarms, updating old soft-
    ware, and, of course, getting blamed for the
    inevitable cyber incidents that are usually
    caused by larger organizational problems. This
    sad tale is a reality for a shocking number of
    organizations; it not only guarantees failure, it
    ensures lost opportunity for innovation that
    comes from having a strong security posture.
    Adopting a prevention philosophy helps
    create strategies for better security and
    maximizes the value of an organization’s
    actions and resources. Viewing cybersecu-
    rity as a business enabler helps drive appro-
    priate resource allocation by returning
    value to the business based on new oppor-
    tunities that would not have been available
    without the level of trust afforded by a
    prevention architecture.
    Take the case of the IT security team.
    When an organization decides to take their
    security more seriously, usually after a cyber
    incident, one of the fi rst things they do is
    dump more people into IT security positions.
    While trained security experts are a boon for
    any organization, the architecture they are
    working in can have them needlessly chasing
    cycles of work, wasting budget by hunting
    for cyber needles in digital haystacks of
    alarms, and manually remediating countless
    vulnerabilities. Employing a prevention
    architecture that automates protection capa-
    bilities and shares threat intelligence using an
    integrated platform means that security
    teams can operate much more effi ciently and
    effectively. Their time is an organization’s
    money, and it’s imperative to ensure that
    personnel working on core IT functions that
    keep business operations running are not
    being wasted on outdated security practices.
    Strong cybersecurity can also open new
    opportunities by making organizations
    more fl exible and resilient. Today’s work-
    force is constantly connected to the Internet
    at home, on the road, and at their desk.
    Users move between applications and
    threat actors and easily identify new
    security events.
    � As attackers move from target to target,
    they leave digital fi ngerprints in the
    form of their tactics, techniques, and
    procedures. By analyzing this evidence
    and then sharing it, threat intelligence
    from other organizations can quickly
    inoculate you from new attacks as
    bad guys seek to move between
    organizations and even industries.
    Combined with an integrated platform
    that can act automatically on this
    intelligence, you can rapidly distribute
    warnings and make it impossible for
    attackers to strike twice. The network
    effect from vendors with large
    customer bases is extremely powerful
    as it builds a security ecosystem, which
    can organically respond to new threats.
    � Many organizations are even coming
    together to share threats as an entire
    sector. Recent policy from the U.S.
    Government has made it easier to
    collaborate and share cyberthreat
    information between companies and
    work together to identify and stop
    advanced cyber actors.
    The most signifi cant way to fi ll in all the
    gaps and truly protect an organization from
    advanced and targeted threats is to imple-
    ment an integrated and extensible security
    platform that can prevent even the most
    challenging unknown threats across the
    entire attack lifecycle. An IT architecture
    must remain secure while also providing
    business fl exibility and enabling applica-
    tions needed to run day-to-day operations.
    Stopping even the most advanced attacks is
    possible, but we have to begin with a pre-
    vention mindset.
    ■ Conclusion: Cybersecurity as a business
    Traditionally, IT security has been seen by
    most organizations as a cost center, requiring
    continued expenses but not bringing in any
    revenue. The attention and resources devoted
    to it are often the bare minimum to meet

    203 ■
    If organizations continue to view investments
    in cybersecurity simply as cost centers to be
    solved by bolting on legacy technology, we
    will all continue to suffer the consequences.
    Our most valuable data and the keys to vital
    pieces of infrastructure will walk out the door
    in the hands of cyber criminals, while the
    trust we have built between our customers
    and our systems continues to degrade. This
    will happen time and time again until we are
    forced to change and narrow the way we use
    digital systems in our everyday lives. This
    must not become the reality for the entire
    community that receives such unimaginable
    benefi ts from the Internet. By adopting a pre-
    vention mindset it is possible to change the
    status quo and take back the control and trust
    in systems that enable critical business opera-
    tions. Planning for disaster is always a smart
    move, but preparing for failure will accom-
    plish just that.
    devices seamlessly and expect that their
    actions will translate between these differ-
    ent environments. However, this tradition-
    ally has not been the case. Threats from
    third-party applications, unsecured cloud
    environments, and infected personal mobile
    devices have become so prevalent that many
    traditional security products will either
    block them completely or just assume that
    they cannot be protected. This old way of
    doing business doesn’t match the reality of
    today’s workers, who are expected to be
    more agile and mobile than ever before.
    Architecting a network to wrap these devic-
    es and third-party services into an existing
    security platform ensures that data will
    remain secure as workers go out to meet
    with customers in the fi eld and expand busi-
    ness beyond its offi ce walls.
    The security fi eld is stuck today with few
    answers to increasingly challenging problems.
    Cybersecurity glossary
    Advanced persistent threat (APT): An adversary that possesses sophisticated levels of expertise and
    signifi cant resources that allow it to create opportunities to achieve its objectives by using mul-
    tiple attack vectors (e.g., cyber, physical, and deception). http://niccs.us-cert.gov/glossary
    Attack surface: An information system’s characteristics that permit an adversary to probe,
    attack, or maintain presence in the information system. http://niccs.us-cert.gov/glossary
    Antivirus software: A program that monitors a computer or network to detect or identify
    major types of malicious code and to prevent or contain malware incidents, sometimes
    by removing or neutralizing the malicious code. http://niccs.us-cert.gov/glossary
    Command-and-control channel: Data link for an attacker to communicate with his malicious
    software installed on a victim’s system.
    Data exfi ltration: After an attacker has found sensitive data that he is targeting, he will attempt
    to package this data and remove it silently from a victim’s system.
    Endpoint: Specifi c parts of an IT infrastructure that users interact with directly, such as work-
    stations or mobile devices.
    Exploit: A technique to breach the security of a network or information system in violation
    of security policy. http://niccs.us-cert.gov/glossary
    Hypertext transfer protocol (HTTP): Technical rules for transferring data over the Internet. Web
    browsers use HTTP, and the encrypted variant HTTPS, to allow users to interact directly
    with websites in a secure manner.
    Malware: Software that compromises the operation of a system by performing an unauthorized
    function or process. http://niccs.us-cert.gov/glossary
    Network: Joined pieces of an IT infrastructure that transfer and route data to and from endpoints
    and other networks.
    Polymorphic malware: Malicious software that is designed to continuously change its appear-
    ance, allowing it to evade legacy security detection technology such as antivirus software.

    ■ 204 SecurityRoundtable.org
    Cybersecurity glossary—cont’d
    Port-based security: Stateful inspection fi rewalls block any Internet traffi c coming into or out
    of a network on a specifi c line of communication, called a port. However, modern applica-
    tions use different ports, and malicious software can change the port it uses.
    Remote access tools (RATs): Malicious software that allows an attacker to control a system
    where he is not physically present. These functions in IT systems also exist for legitimate
    uses, such as support functions.
    Zero-day: A software vulnerability that is unknown to the public but is used by an attacker to
    gain access and control of a network or system.

    Cybersecurity beyond
    your network
    Electronic version of this guide and additional content available at: SecurityRoundtable.org

    207 ■
    Booz Allen Hamilton – Bill Stewart, Executive
    Vice President; Tony Gaidhane, Senior
    Associate; and Laura Eise, Lead Associate
    Supply chain as an attack chain
    The supply chain ecosystem reaches farther and wider than
    ever before. The growing range of suppliers provides sig-
    nifi cant competitive advantages for companies that strate-
    gically and securely source from this global network. Yet
    this complex footprint comes with an equally complex
    range of cyberthreats, and the majority of organizations do
    not realize the breadth and depth of these challenges.
    However, hackers are well aware of existing supply chain
    vulnerabilities and are moving aggressively to take advan-
    tage of these exposures.
    Threat actors typically target organizations’ supply
    chains through two vectors: the fi rst type of attack is
    known as “adversarial supply chain operations to,” or
    “ASCO To,” and the second is known “adversarial sup-
    ply chain operations through,” or “ASCO Through”
    (Figure 1). In an ASCO To attack, your organization is
    the direct target. In the latter, the adversary uses your
    supply chain as a means to target one of your customers.
    Although the intent is different, both have the potential
    for devastating impact to your revenue, reputation, and
    end consumer.
    To compound this issue, today’s attackers are often
    well funded and extremely organized. These attackers
    have the resources, skills, and patience to conduct
    sophisticated attacks on your supply chain. For exam-
    ple, a supply chain cyber adversary may clandestinely
    intercept delivery of your products and switch cyber
    sensitive components with a malware-infused copycat.
    These attacks are often so sophisticated that the end
    users may not realize that they did not receive the origi-
    nal version.
    Nation-states, hacktivists, organized criminal groups,
    and lone wolves are constantly scanning supply chains

    ■ 208
    Supply chain traditionally has been seen
    as part of internal operations; it is some-
    thing that happens behind the scenes for
    your customers. In the past, customers did
    not care where you made your products or
    how you sourced them as long as you deliv-
    ered them on time, at the appropriate cost,
    and in good condition. However, this is all
    changing. Companies and governments
    around the world are realizing that the sup-
    ply chain is an ideal way for attackers to
    quietly infi ltrate their networks and infect a
    system well before customers place an order.
    Companies, large and small, have to begin
    looking at supply chain security as part of
    their overall supply chain risk management
    By prioritizing supply chain cybersecurity,
    you are well on your way to tackling this
    complex issue. You have an opportunity to
    mitigate cyber risk and transform your sup-
    ply chain risk management capability into
    a competitive advantage to inform your
    broader business.
    ■ Increasing expectations
    The U.S. government has been a force for driv-
    ing higher-level visibility and controls across
    the supply chain. As the future progresses,
    for weak points, and the impact of this atten-
    tion has the potential to reverberate well
    beyond your supply chain. You inherit the
    risks of your suppliers. If one of your suppli-
    ers lacks security controls, you may absorb
    their vulnerabilities. This is particularly true
    if you do not comprehensively test their
    components during your acceptance pro-
    cess; once you accept their product, you
    accept the risks of being attacked or passing
    along an attack to your customers. In the
    event that a cyberattack occurs, you own the
    impacts as well. This includes brand dam-
    age, operational stoppage, legal exposure,
    canceled sales, and government sanctions.
    ■ Dangerous combination of hidden risks and
    higher expectations
    Tackling cybersecurity risk in supply chain
    may feel like you are trapped between a vir-
    tual rock and a hard place. As companies
    drive to increase supply chain fl exibility at
    the lowest overall cost, sourcing decisions
    expose them to the vulnerabilities of suppli-
    ers and all of their successive networks of
    suppliers. This ever-evolving cybersecurity
    threat in the multi-layered supply chain pre-
    sents a number of challenges when manag-
    ing cybersecurity. See Figure 2.
    • Nation–State
    • Competitors (esp.
    • Criminals
    • Hacktivists
    ASCO To
    ASCO Through
    Customer Operations
    Example Methods:
    • Interdiction/Compromise
    • Theft/Re-route
    • Break/Fix subversion
    Example Methods:
    • Malware shotgun infection
    • Malicious component insertion
    • Repair part compromise
    • Trojan insertion/Design to fail
    • Fraud
    Potential Effects:
    • Halt or slow prodution
    • Prevent sustainment operations
    • Loss of intellectual property
    Potential Effects:
    • National security risk
    • Customer compromise
    • Impaired customer operations
    • Brand/Legal/Market impact
    • Loss of customer intellectual property
    Lifecycle Process
    Source Build
    DisposalFulfillment Distribution
    Attack methods on the supply chain

    209 ■
    and your customers that you have a strong
    supply chain cyber cybersecurity capability.
    It is not just the U.S. federal government
    that is raising the stakes. Many clients also
    are demanding to know more about the
    supply chain. Private sector clients are real-
    izing that securing high assurance services
    on an untrusted hardware platform is the
    same as building a fort on a foundation of
    shifting sand. They want to know the depth
    of visibility into the components and ser-
    vices of products, and they want to be reas-
    sured that there are controls in place to
    manage a robust supply chain cybersecurity
    program. As with the government, many of
    these requests and requirements are at an
    insurance companies will be an even larger
    driver for increasing supply chain standards.
    Business continuity policies are in place to
    address threats that disrupt the supply chain.
    Companies with weak supply chain cyber
    security policies and procedures could fi nd
    their insurers raising their premiums or
    excluding claims in case of a breach. The next
    wave of standards could take shape with
    requiring you to maintain a list of all cyber
    sensitive supply chain components as well as
    develop comprehensive risk frameworks to
    classify, prioritize, and proactively manage
    the sourcing of each of those components.
    You need to proactively get ahead of these
    standards. Prove to the government, insurers,
    Lack of Visibility
    External Dependencies
    Dynamic Threat
    Companies cannot ensure part integrity on their own—they will need participation
    from suppliers and other business partners.
    Cross-Functional Challenge
    Requires change and collaboration from various internal business functions
    to collectively manage cyber risk throughout the supply chain
    Decision Making
    Increased information requires new strategic and tactical decision-
    making processes.
    The evolving capabilities of well-resourced and determined adversaries means
    that “point in time” solutions are insufficient.
    Limited visibility across the supply chain regarding exposure and controls
    Cybersecurity challenges in the supply chain

    ■ 210
    could necessitate that your approach be dif-
    ferent than that of a competitor. Using a
    maturity model also allows you to answer
    the questions that are not yet asked by com-
    pliance while aligning your supply chain to
    your business strategy. It allows you to focus
    on increasing your overall security and to
    stay ahead of the curve.
    ■ Where do I start?
    Developing a robust supply chain cyberse-
    curity program is complex, but that doesn’t
    mean your approach has to be. It requires a
    risk-based prioritization approach to changes
    in policy, supplier contracts, resource alloca-
    tion, and investment. Most companies do not
    have the appetite or the budget for wholesale,
    drastic changes. If you are like most organiza-
    tions, you face the dilemma of not knowing
    where to begin.
    So the best place to start is to get your
    arms around what has to be done.
    1. Conduct a maturity assessment and build
    a roadmap.
    Your organization needs a plan for the path
    forward in securing your supply chain. Before
    you transition to developing a roadmap, you
    must begin with a maturity assessment.
    Supply chain cybersecurity program maturity
    assessments are simply gap analyses between
    how well your program operates today com-
    pared with how it should operate in a target
    state. To evaluate this, you must identify the
    key controls that apply to supply chain risk
    management—either controls you already use
    as part of your corporate cybersecurity pro-
    gram or controls that may be more unique to
    supply chain. Even if you use existing con-
    trols, you should modify them to apply to your
    supply chain operations.
    all-time high and will become more sophis-
    ticated and comprehensive only during the
    next several years. If you are their supplier,
    they know that you are only as trustworthy
    as your supply chain.
    ■ How to create both a secure and compliant
    Complying with standards and guidelines is
    not enough for securing all of the factors you
    need to comprehensively increase your secu-
    rity posture. Although standards strive to
    create consistency among cybersecurity pro-
    grams, the fundamental truth is that there is
    no formula for security. Standards and
    frameworks can help identify the landscape
    of potential areas to address and may let you
    set a minimum level of performance, but
    that’s it. You must move beyond merely
    striving to be compliant rather than noncom-
    pliant. Supply chain cybersecurity is more
    than an IT problem. If not used in the appro-
    priate context, standards can be a generic
    solution to a highly individualized problem
    set. Supply chain risk is tied intimately to
    your business strategy and operations, and it
    must be tailored to your organization.
    Rather than focusing on a standard, look at
    your program with a maturity lens. Understand
    the various degrees of risk you face. Then,
    within a well-established structure, decide
    where you need to invest and develop. It is
    up to you to prioritize the control areas to
    address. Focus on your current maturity in
    those areas and what you must do to increase
    your maturity. Focusing on your maturity
    provides you with an opportunity to identify
    where your program stands today, where it
    must be in the future, and how to get there. A
    maturity approach is not “one size fi ts all.”
    Special considerations for your organization
    Maturity Assessment Tip
    The set of controls you select for your maturity assessment should incorporate the compli-
    ance standards that customers might use as part of their Request for Proposal requirements
    (e.g., NIST SP 800-161). You likely will cover more controls than these standards, but map-
    ping them will allow you to kill two birds with one stone.

    211 ■
    3. Decompose your key product lines.
    To assess the visibility, control, and risks in your
    supply chain, select a few key product lines and
    decompose them into their cyber sensitive com-
    ponents. Then see how much information you
    can collect on their manufacturing sources,
    acceptance testing, suppliers, and intended cus-
    tomers. You will likely fi nd that your internal
    systems and policies are prohibiting you from
    this level of visibility; however, it is this level of
    visibility that customers will be demanding in
    physical deliveries of products, place malware in
    cyber sensitive components, and allow the ship-
    ments to continue to end customers. As you
    identify risks for each phase, you have to assess
    the likelihood and impact of each risk. This prior-
    itized list becomes your risk agenda and helps
    determine what to address fi rst to enhance your
    supply chain cybersecurity program.
    Next, identify key objectives for each control
    you plan to evaluate. Threat intelligence, for
    example, may have data collection, analysis,
    and distribution as key control objectives. For
    each objective, defi ne a scale as well as the key
    characteristics for each step in that scale. Taking
    the threat intelligence example, a low maturity
    rating for data collection could be the ad hoc
    collection of threat data via unstructured sources,
    such as email. A higher maturity implementa-
    tion of data collection would be a comprehensive
    ingestion of multiple formal data feeds that can
    be analyzed automatically and effi ciently.
    Next, conduct a baseline assessment of your
    current state—an honest assessment, backed by
    examples. This will help you surface risks asso-
    ciated with each control. After the baseline,
    defi ne the target state for each control. The tar-
    get state should be a balance between high
    effectiveness and practical costs, keeping in
    mind that not all controls need the highest level
    of maturity. Comparing the target state with the
    baseline provides you the gap you need to
    The outcome of your maturity assessment will
    be a robust roadmap designed to transform your
    supply chain cybersecurity program. This
    equates to quick wins and key priorities for your
    organization. It should also help address the key
    requirements your customers demand.
    2. Identify key risks throughout your supply
    chain lifecycle.
    Breaking down your supply chain lifecycle into
    discrete phases can help you identify key risks for
    each phase. Each phase presents its own vulner-
    abilities and risks. For example, during the dis-
    tribution phase, threat actors can intercept
    Five Common Early Wins
    Below are fi ve common ways you can gain early traction with your supply chain cybersecurity program:
    � Integrate/enhance component tracking
    � Include cyber in your supply chain risk management framework
    � Enhance acceptance testing
    � Conduct supply chain vulnerability penetration testing
    � Enhance monitoring of supplier network access points
    Supply chain
    Sustain & Operate

    ■ 212 SecurityRoundtable.org
    advantage in the market. Understanding how
    to identify risk and then effectively manage
    those risks will allow you to be in greater
    control of your supply chain. A robust supply
    chain cyber risk management program will
    allow you to close vulnerabilities, making
    you less of a target for attackers while helping
    you meet and even shape your customer
    expectations. The trust in your brand and the
    quality of your product depend on the
    strength of your supply chain cybersecurity.
    Creating the right balance of security
    and resilience in your supply chain will
    allow you to build a foundationally strong-
    er supply chain cybersecurity program.
    This not only will differentiate you from
    your competitors but also will allow you to
    better understand the opportunities and
    advantages that are key to your success.
    the future, if not already. Once you can obtain
    this kind of visibility, you can then assess the
    processes, controls, and risks associated with
    those cyber sensitive components.
    ■ Supply chain cybersecurity as a differentiator
    The risks and expectations of your supply
    chain cybersecurity are increasing as threats
    become more sophisticated and customers’
    expectations rise. As you inherit the vulner-
    abilities from your suppliers and the risks of
    your customers, you have to be more aware
    of how your supply chain can become an
    attack chain. Compliance is not enough; you
    must develop a robust maturity model to
    help identify your vulnerabilities and devel-
    op a roadmap to reduce your risks.
    Companies that are able to effectively
    manage their supply chain risks will have the

    213 ■
    Covington & Burling LLP – David N. Fagan, Partner;
    Nigel L. Howard, Partner; Kurt Wimmer, Partner; Elizabeth H.
    Canter, Associate; and Patrick Redmon, Summer Associate
    Managing risk associated
    with third-party outsourcing
    ■ Third-party outsourcing and cybersecurity risk
    Businesses increasingly work with third parties in ways
    that can render otherwise well-guarded data vulnerable
    to attack or accidental disclosure. These third parties can
    include technology service providers; other major busi-
    ness function vendors, such as payroll, insurance, and
    benefi ts companies; and accounting and fi nance, advertis-
    ing, delivery and lettershop, legal, and other consulting
    Many of these commercial relationships require sensi-
    tive information—whether the business’ own confi dential
    business information or the personal information of its
    employees or customers—to be shared with, or stored by,
    the third parties. Such relationships also may entail third-
    party access to a company’s networks. There is, in turn, an
    inherent risk in the third-party services: they can create
    new avenues of attack against a company’s data or its
    systems and networks—and those avenues require appro-
    priate mitigation.
    Perhaps no data security breach highlighted this risk
    more than the incident incurred by Target. That incident
    began not with a direct attack on the Target network but
    with a phishing attack on a Pennsylvania HVAC contrac-
    tor that had access to Target’s external billing and project
    management portals. The HVAC contractor depended on
    a free version of consumer anti-malware software that
    allegedly failed to provide real-time protection. Once the
    phishing campaign succeeded in installing key-logging
    malware, the hackers obtained the HVAC contractor’s
    credentials to Target’s external billing and project man-
    agement systems and from there infi ltrated Target’s inter-
    nal network, eventually reaching Target’s customer data-
    bases and point-of-sale systems.

    ■ 214
    contractual provisions to manage third-
    party risk, and, in some cases, to monitor
    service providers on an ongoing basis
    (e.g., 12 C.F.R. Pt. 225, App. F at III.D.
    � the HIPAA Privacy Rule, requiring
    specifi c contractual provisions in dealing
    with business associates who handle
    protected health information, 45 C.F.R.
    §164.502(e) (2014)
    � state regulations, such as the
    Massachusetts Standards for the
    Protection of Personal Information,
    requiring reasonable steps in selecting
    third parties and the use of contractual
    provisions to require their compliance
    with Massachusetts law, 201 Mass Code
    Regs. 17.03(2)(f).
    In addition, the Federal Trade Commission
    has applied its authority under Section 5 of
    the FTC Act, 15 U.S.C. §45 (governing unfair
    acts and deceptive trade practices) to apply
    to cybersecurity and data security, and has
    taken action against companies that fail to
    take “reasonable steps to select and retain
    service providers capable of appropriately
    safeguarding personal information” a de
    facto regulatory requirement. See, for exam-
    ple, GMR Transcription Servs., Inc., F.T.C.
    Docket No. C–4482, File No. 122–3095, 2014
    WL 4252393 (Aug. 14, 2014).
    ■ Sources of third-party cybersecurity risk
    The cybersecurity and privacy risks gener-
    ated by third-party engagements include the
    � breaches of personal data—whether the
    personal data of customers or employees—
    and the attendant regulatory obligations
    (e.g., notifi cation requirements), as well as
    legal liability, as in the Target breach
    � breaches of a business’s proprietary data,
    including the following:
    � competitively sensitive data, privileged
    information, attorney work product,
    and trade secrets
    � business partner data resulting in
    obligations to notify business partners
    The results of the Target breach are well
    known: the personal information of up to
    70 million customers was compromised, and
    about 40 million customers had their credit
    or debit card information stolen. By the end
    of 2014, the costs to Target from the breach
    had exceeded $150 million. These costs
    include the litigation and settlement expens-
    es resulting from lawsuits brought by con-
    sumers and credit card issuers. Further, in the
    quarter in which the data breach occurred,
    Target’s year-over-year earnings plummeted
    46 percent. Ultimately, in the aftermath of the
    breach, Target’s CEO resigned.
    The Target breach was not an isolated
    incident. In 2014, a Ponemon Institute sur-
    vey found that in 20 percent of data breach-
    es, a failure to properly vet a third party
    contributed to the breach. Even more trou-
    bling, 40 percent of the respondents to
    another Ponemon survey named third-party
    access to or management of sensitive data as
    one of the top two barriers to improving
    cybersecurity. Further, the Ponemon
    Institute’s 2015 U.S. Cost of Data Breach
    Study reports that third-party involvement
    in a data breach increased the per capita cost
    of data breaches more than any other factor.
    However, despite the cybersecurity risks
    posed by third-party service providers,
    many companies fail to systematically
    address such risks. Only 52 percent of com-
    panies surveyed in a 2014 Ponemon Institute
    report have a program in place to systemati-
    cally manage third-party cybersecurity risk.
    ■ Legal risks
    Although there are many commercial and
    other reasons to adopt strong third-party risk
    management processes, a variety of legal
    frameworks require the management of third-
    party risk. Examples of such statutory or regu-
    latory requirements include the following:
    � the Interagency Guidelines Establishing
    Information Security Standards that
    implement Section 501 of the Gramm-
    Leach-Bliley Act and require fi nancial
    institutions to engage in due diligence in
    the selection of service providers, to use

    215 ■
    the sophistication of the vendor and the
    nature of the IT systems and data at issue.
    Nonetheless, three elements are common to
    all third-party risk management:
    1. due diligence prior to entering an
    2. contractual commitments and legal risk
    3. ongoing monitoring and oversight.
    ■ Pre-engagement due diligence
    A critical element of managing third-party
    risk is the assessment of the third party’s
    own security practices and posture before
    any contract is signed. Such diligence is cru-
    cial for the identifi cation and evaluation of
    risks, and, in turn, can ensure that such risks
    are mitigated before the engagement,
    including through the use of contractual
    provisions. The actual evaluation may be
    more ad hoc (i.e., conversations with key
    business or technology stakeholders) or for-
    mal (i.e., through a questionnaire or even
    on-site assessment), and the extent of an
    evaluation may depend on various factors
    in the prospective relationship, including,
    for example, whether the service provider
    will have access to the company’s IT sys-
    tems, the nature of the information that it
    may access, and whether it will store such
    Depending on the extent of the relation-
    ship and information that may be accessed
    by the vendor, the following areas of inquiry
    may be necessary to inform a cybersecurity
    diligence assessment:
    � whether and how often the vendor
    h a s e x p e r i e n c e d c y b e r s e c u r i t y
    incidents in the past, the severity of
    those incidents, and the quality of the
    vendor ’s response
    � whether the vendor maintains
    cybersecurity policies, such as whether
    the vendor has a written security policy
    or plan
    � organizational considerations, such as
    whether the vendor maintains suffi cient
    and appropriately trained personnel to
    as well as potential contractual liability
    to them
    � data that result in fi nancial harm to
    the company, such as bank account
    � other confi dential, market moving
    insider information in the hands
    of third parties such as investment
    bankers, consultants, and lawyers, such
    as information regarding nonpublic
    M&A activity, clinical trial results, or
    regulatory approvals
    � the introduction into internal networks
    of viruses or other malicious code, as
    in the Dairy Queen attack, in which
    vendor credentials were used to
    gain access to internal networks and
    eventually install malware targeting
    point-of-sale systems
    � the introduction of other vulnerabilities
    to IT systems, for instance, by the use
    of vulnerable third-party applications
    or code, as occurred in the Heartbleed
    OpenSSL exploit that potentially
    exposed the data transmitted to and
    from secure web servers
    � misuse and secondary use of company
    data such as for direct marketing or data
    mining for the benefi t of the vendor
    � “fourth-party” risk, that is, the third-
    party cybersecurity risks introduced
    by a vendor ’s relationships with its
    own third-party service providers and
    � potential director or management liability
    for breach of fi duciary duty in the exercise
    of cybersecurity oversight.
    To help manage this array of risks effectively,
    companies may consider whether they have
    appropriate procedures in place to evaluate
    and monitor individual vendors, as well as a
    program to manage and monitor third-party
    ■ Engagement-level management of third-party
    cybersecurity risk
    The appropriate measures needed to scruti-
    nize and monitor third-party service pro-
    viders will depend to a large extent upon

    ■ 216
    ■ Contractual risk and negotiation
    In addition to evaluating third parties on the
    basis of their cybersecurity practices, anoth-
    er important risk mitigation tool is the actual
    contractual language. As with other areas,
    contractual requirements can be an effective
    way to allocate risk and responsibility for
    potential breaches of cybersecurity, includ-
    ing the investigation and remediation of
    such incidents. Commonly negotiated terms
    include the following:
    � a requirement that the vendor have a
    written information security program
    that complies with applicable law or
    other regulatory or industry standards
    � limits and conditions on the use of
    subcontractors and other third-party
    service providers
    � restrictions on secondary use of data,
    including making clear that the customer
    remains the owner of any data transmitted
    to the vendor and any derivatives of that
    � mandatory and timely notifi cation in case
    of a security incident
    � rights to audit or otherwise monitor the
    vendor’s compliance with the terms of
    the contract
    � in case of a breach, a requirement that the
    vendor take on reasonable measures to
    correct its security processes and take any
    necessary remediation steps
    � provisions ensuring an orderly transition
    to in-house systems or another third
    party in case of the termination of the
    In addition to such terms, indemnifi cation
    clauses can be used to shift the risk of data
    breach onto the third party and to incentiv-
    ize healthy security practices. To accompany
    an indemnifi cation clause, it sometimes can
    be desirable to draft clauses that defi ne
    when the entity is or is not liable, on which
    party the burden of proof falls, and how
    root-cause analysis should be conducted. To
    ensure capacity to take on the fi nancial costs
    protect the data and/or service at issue
    and respond to incidents
    � human resources practices, particularly
    background screening of employees,
    cybersecurity training, and the handling
    of terminations
    � access controls, particularly whether
    controls are in place that restrict access
    to information and uniquely identify
    users such that access attempts can be
    monitored and reviewed
    � encryption practices, including whether
    information is encrypted at rest, whether
    information transmitted to or from
    the vendor is properly encrypted, and
    whether cryptographic keys are properly
    � evaluation of in what country any data
    will be stored
    � the vendor ’s policies regarding the
    secondary use of customer data, and
    whether IT systems are created in
    such a way as to respect limitations on
    secondary use
    � physical security, including resilience
    and disaster recovery functions and
    the use of personnel and technology to
    prevent unauthorized physical access to
    � back-up and recovery practices
    � change control management, including
    protocols on the installation of and
    execution of software
    � system acquisition, development, and
    maintenance to manage risk from software
    development or the deployment of new
    software or hardware
    � risk management of the vendor’s own
    third-party vendors
    � incident response plans, including
    whether evidence of an incident
    is collected and retained so as to be
    presentable to a court and whether the
    vendor periodically tests its response
    � whether the vendor conducts regular,
    independent audits of its privacy and
    information security practices

    217 ■
    Although relatively uncommon outside
    of certain regulated industries, such as the
    fi nancial and health-care industries, provi-
    sions in vendor contracts for regular secu-
    rity audits by an independent third party
    provide a robust but intrusive form of
    periodic monitoring. However, it is not
    always possible to obtain audit rights from
    a vendor. Alternatively, the vendor could
    be required to provide up-to-date certifi ca-
    tions of compliance with industry stand-
    ards or regular, third-party audit reports.
    In addition, to manage fourth-party risk,
    vendors could be required to perform ini-
    tial and periodic assessments of their own
    service providers and vendors if they will
    be handling sensitive information. If, in
    the course of an audit, vulnerabilities are
    identifi ed or practices are found that are
    not in compliance with industry practices
    or regulatory requirements, the vendor
    may be required to notify the customer
    and correct any outstanding issues in a
    timely fashion.
    As part of ongoing monitoring of vendor
    cybersecurity, it is useful if the contract with
    a third-party service provider also includes
    notifi cation and remediation provisions if
    the vendor becomes aware of defi ciencies in
    its cybersecurity posture. In addition, as part
    of the remedies, the outsourcing party may
    seek the right to terminate the agreement
    immediately and to receive a pro rata refund
    of any fees paid or payable. In addition to
    contractual provisions dealing with the ter-
    mination, contingency plans to facilitate an
    orderly end to the third-party relationship
    and a smooth transition to an in-house solu-
    tion or another a third-party provider may
    prove useful.
    ■ Conclusion
    The measures described above—diligence,
    contractual terms, and continued monitor-
    ing and oversight—are critical elements of a
    comprehensive cybersecurity program that
    includes managing third-party relationships.
    To effectuate these elements, in turn, it often
    of a breach, third parties are frequently
    required to obtain a cybersecurity insurance
    From the business’s perspective a third-
    party vendor should be fully responsible for
    any liability for data breaches that occur
    while the data are under the vendor’s con-
    trol. However, vendors often push for caps
    on their cybersecurity liability. To guide
    negotiations as to appropriate caps on liabil-
    ity, consider the type of data processed or
    accessed by the third party (e.g., how sensi-
    tive is it, does it relate to employees, con-
    sumers, or is it not personally identifying
    information), the volume of records to be
    handled by the third party, the ability for the
    customer to implement security controls
    such as encryption, the nature and extent of
    the third-party promises on cybersecurity,
    and the brand and reputation of the third
    party with respect to data security. Based on
    those inputs, a company can then consider
    the potential losses and sources of third-
    party liability to evaluate what constitutes
    an acceptable level of risk in terms of exclu-
    sions for indemnifi cations and caps on liabil-
    ity. A business also may consider offsetting
    any contractual concessions with corre-
    sponding increases in their own cybersecu-
    rity insurance coverage.
    ■ Ongoing monitoring and oversight
    Ongoing monitoring and oversight of third-
    party service providers is essential given the
    rapidly changing landscape of cybersecurity
    threats. Whereas due diligence provides a
    snapshot of a third party’s cybersecurity
    stance at a specifi c point in time, continual
    monitoring and the right to such monitoring
    are necessary to help ensure that the third
    party responds and adapts to secure its sys-
    tems against new threats. Over the life of the
    relationship, periodic checks, including on-
    site reviews of vendor, can be important
    oversight mechanisms. Other monitoring
    requirements include access to timely and
    accurate records and reports of the third-
    party provider’s cybersecurity posture.

    ■ 218 SecurityRoundtable.org
    that scales due diligence, contractual obliga-
    tions, and oversight processes according to
    the nature and extent of the cybersecurity
    risks presented by the vendor relationship.
    In all events, it is important that organiza-
    tions periodically review their processes for
    evaluating and overseeing third-party rela-
    tionships to ensure that such processes are
    periodically updated and appropriately tai-
    lored to address new and emerging threats.
    is helpful to have standardized processes
    and documentation.
    Examples include standardized diligence
    checklists and questionnaires, template con-
    tract addendums addressing cybersecurity
    issues, and standardized schedules for
    audits and other forms of monitoring.
    Because there is no one-size-fi ts-all approach
    that is appropriate for every vendor, it is
    appropriate to implement a tiered approach

    219 ■
    Delta Risk LLC – Thomas Fuhrman, President
    A new look at an old threat
    in cyberspace: The insider

    The fi rst thing that business leaders should do about the
    insider threat is to take it seriously.“
    People are, without doubt, the most consequential part
    of cybersecurity. They design the hardware, write the
    software, build the systems, confi gure and manage the
    boxes, install the software patches, and, obviously, use
    the computers. At every point in cyberspace, people create
    vulnerabilities. Whether they realize it, people are a major
    security risk. The insider threat, however, is not just a
    product of conscientious but fallible humans: the dark side
    of human nature is also in play. The idea of the ‘enemy
    within’ is as old as the hills, and its cyber equivalent is too.
    The insider threat to computer systems and networks
    has been a recognized reality for decades. It was a topic in
    1970 in the landmark report by the RAND Corporation,
    Security Controls for Computer Systems, and its roots go
    back even further. However, since 2013 when defense
    computer systems contractor Edward Snowden—an
    insider—carried out one of the largest and most signifi –
    cant unauthorized disclosures of classifi ed government
    information in U.S. history, the issue was brought home to
    business executives. They realized, “If that can happen to
    the National Security Agency, it can happen to me.”
    ■ What’s new with the insider threat?
    In this, the post-Snowden era, the potential impact of the
    insider has become a much more tangible issue to compa-
    nies and organizations of every kind. However, although
    this heightened awareness is new, there are also other
    recent developments that make the current insider threat
    challenge more diffi cult than ever. Key among such devel-
    opments are the following:
    � the vast amount of vital business and personal data
    that is online

    ■ 220
    to effi ciently screen potential employees, man-
    age access rights, enforce obligations, detect
    malicious tendencies and behaviors, and
    implement security controls are needed.
    The insider threat is usually thought of as
    having two types: the malicious insider and
    the unwitting insider. Although these two
    types of insider are very different in motiva-
    tions and objectives, they can have similar
    ruinous effects on the organization.
    � The malicious insider. The malicious insider
    is the ‘spy’ or ‘traitor’ who represents
    the insider cyberthreat at its most basic.
    This rogue employee, at most a small
    percentage of the workforce (Spectorsoft
    reports that an estimated 10 percent of
    employees account for 95 percent of
    incidents), uses her or his legitimate access
    to a company’s information resources to
    deliberately harm the organization.
    Malicious insiders know about the organi-
    zation’s information, its systems, its struc-
    ture and people, and its internal opera-
    tions. They have access to the enterprise
    network from inside the perimeter defens-
    es. They can do damage such as stealing
    data, disabling systems, and installing
    viruses or malware. Those with privileged
    access can do even more, such as disabling
    accounts, destroying backups, changing
    confi guration fi les, and more. Those with-
    out privileged access can sometimes get
    it through insider trickery, bypassing
    authentication processes or gaining access
    through the credentials of others. Snowden
    himself reportedly persuaded colleagues
    to share passwords with him to get access
    beyond what he was already allowed.
    A fundamental and important point to
    recognize is that the insider as a malicious
    threat is not limited to the cyber and infor-
    mation systems realm. Other targets and
    methods are possible, including physical
    theft, destruction, or violence, coercion
    and extortion, or other non-cyber actions.
    This fact has a direct bearing on the
    approaches available to prevent, detect,
    � the migration of data outside the security
    perimeter of the enterprise through
    the widespread adoption of cloud-
    based services, increased outsourcing,
    increasingly Internet-enabled supply
    chain operations, and the ubiquity of
    mobile communications and computing
    devices in the ‘bring your own device’
    (BYOD) environment
    � the increase in the marketability of
    sensitive, personal, proprietary, or
    confi dential data through global cyber
    crime syndicates and hacker networks.
    These developments in combination invest
    more power—and risk—in the individual
    insider and make ‘keeping a secret while selec-
    tively sharing it’ a harder problem than ever.
    From a cyber perspective, the insider is
    the person who the enterprise has entrusted
    to access and operate with the company’s
    data and information resources in the rou-
    tine course of business. Anyone who has
    legitimate (or ‘authorized’) access to the
    information and the business systems, data-
    bases, email, or other information resources
    of the enterprise is an insider.
    In many companies today, a large number
    of legitimate insiders are not actually
    employees. This group includes former
    employees, contractors, business partners,
    vendors, suppliers, and others such as cloud
    service providers and business application
    hosting services that have been granted
    access to corporate enterprise networks.
    Evidence indicates that the access privileges
    of such non-employee insiders are diffi cult
    to manage and thus more easily exploited. In
    the large data breach at The Home Depot in
    2014, for example, the hackers entered the
    corporate network through a vendor’s legiti-
    mate access credentials.
    Can employees and other insiders be
    trusted? The answer, of course, is mostly yes.
    It has to be. Business runs on human capital.
    Without trustworthy insiders, the organiza-
    tion cannot function. However, the residual
    ‘no’ is a cause for serious concern. Seen in
    this light the question is more about setting
    the limits of trust at the right level. Better ways

    221 ■
    become unconcerned about the associated
    security and privacy risks. Users sometimes
    bring such personal Internet habits into the
    workplace, often paradoxically because of
    their zeal to do their jobs. They may insert a
    thumb drive into a corporate machine to
    transfer a fi le. (“I needed to work on the
    fi le—what was I supposed to do?”) They
    could sync a personal smartphone to a cor-
    porate computer. (“What’s wrong with
    that?”) They may drop a proprietary docu-
    ment into a public cloud. (“I need to work
    on it while I travel.”) The list continues. All
    of these actions and many others like them
    by the unwitting insider create serious
    enterprise security risks.
    The single most common security weak-
    ness of most people is a susceptibility to
    phishing attacks. Phishing is a form of
    ‘social engineering’ that has the goal of
    getting information such as usernames,
    passwords, or credit card numbers.
    Phishing usually starts with a fraudulent
    email message (although other mecha-
    nisms are also used) that appears to be
    from a legitimate or known source. The
    message may contain an attachment that,
    if opened, installs malware on the victim’s
    computer, or the message may direct the
    user to a website that is also designed to
    look legitimate, even familiar, to the target
    victim. This bogus website prompts the
    user to enter information such as log-in
    credentials or account numbers. If the
    user’s suspicions have not been aroused,
    she or he may enter the requested data—
    and gotcha!—the hacker has succeeded in
    capturing information that can be used for
    access later. Alternatively or in addition,
    the bogus website may push out a virus,
    remote access software, key-logging soft-
    ware, or other malware. Very often phish-
    ing is the start of a chain of exploits that
    leads to a very serious breach. The Verizon
    2015 Data Breach Investigations Report
    (DBIR) states that more than 75% of mal-
    ware installs were the result of unwitting
    users clicking on attachments or web links
    contained in emails.
    and act against malicious or potentially
    malicious insiders.
    The psychology of the malicious insider is
    a defi ned fi eld of study. In short, an insider
    can become a threat for many reasons—
    including for example, anger as a result of
    workplace confl icts or disputes, fear of
    termination, dissatisfaction with work-
    place policies, ideology, or fi nancial need.
    � The unwitting insider. Almost anyone can
    fall into the category of unwitting insider
    threat agent, including senior executives.
    As a threat actor, the unwitting insider
    unintentionally and unknowingly
    makes security blunders that expose the
    enterprise to serious cyber risks.
    Because the pool of potential unwitting
    actors is so large and their behaviors are
    unintentional and hard to predict, the
    unwitting insider is one of the most dan-
    gerous weak points in the entire enterprise.
    One group of insiders who can pose a
    major threat are those who have a lax atti-
    tude about security. These attitudes are not
    always obvious. Security awareness cam-
    paigns are so commonplace now that just
    about everyone exercises at least some cau-
    tion in online activities. At the same time,
    though, we can also observe that a certain
    insouciance about the risks in cyberspace
    has crept into the behavior of many people.
    The same person who would refrain from
    using the word ‘password’ as a password
    or from writing it on a sticky note to place
    on the computer monitor may think noth-
    ing of other poor security practices.
    Today’s culture, for example, seems to
    encourage the melding of personal and
    professional pursuits. People have become
    so accustomed to online life—being always
    connected, using multiple computing plat-
    forms, putting their ‘whole life’ (as they
    say) on their smartphones, or posting pho-
    tos and personal information on social
    websites—that it appears many have

    ■ 222
    in shares of the Brooklyn Bridge, the
    unwitting person can easily be taken in by
    a well-designed phishing ploy. However,
    whether the result of inadvertent or delib-
    erate acts, the impact to the organization
    can be the same—fi nancial loss, compro-
    mise of intellectual property, theft of cus-
    tomer personal information and credit
    card data, and reputational harm or loss of
    competitive position.
    This highlights a third and more sinister
    type of ‘insider ’ that must also be
    considered—the malicious outsider
    posing as an insider. Such actors explic-
    itly seek to exploit insiders by appropri-
    ating their credentials and moving
    unnoticed within the network.
    Figure 1 illustrates the categories of the
    insider threat, along with typical motiva-
    tions and potential impacts.
    Phishing also is used in a more focused
    way that targets specific people—
    frequently senior executives or people in
    the organization who have privileged
    access to information resources. The
    hacker will mine the Internet for personal
    information on the target, information
    that only the target would know, names
    and contact information of colleagues,
    web browsing and purchase history,
    non-business activities and community
    involvement, even writing styles to zoom
    in on that specifi c person. When such
    information is used in a phishing email,
    the look and feel, the text, and the context
    of the message can appear unexceptional
    and entirely authentic. If this were a game
    it would be unfair. The target frequently
    falls for the scheme.
    Like the poor soul who sends money to the
    Nigerian prince or the person who invests
    Threat Actors
    Unwitting insider
    Malicious insider
    Malicious outsider
    posing as an
    • Efficiency and
    • Customer service
    • `Getting the job done´
    • Financial gain
    • Do harm to the company
    • Fraud or theft of money
    • Exploit the access of a
    legitimate user
    • Bypass security controls on
    privilege escalation and lateral
    movement throughout the
    network to get to key systems
    for exfiltration and/or
    insertion of malware
    • Do harm to the company
    • Advance an ideology or
    other personal agenda
    • Advance an ideology or
    other personal agenda
    • Financial gain—obtain
    sensistive data that can
    be monetized
    • Use legitimate access for
    illegitimate purposes
    • Theft of sensitive
    information (e.g.,
    personally identifiable
    information, intellectual
    property, proprietary
    • Financial fraud or theft
    • Damaged or destroyed
    information resources
    • Sabotaged product (the
    merchandise produced
    by the enterprise)
    • Reputation harm and
    customer alienation; loss
    of revenue
    • Insertion of malware
    and/or establishing a
    long-term presence in
    the network for repeat
    • Move sensitive internal data to a
    public cloud
    • Lose a laptop
    • Use a memory stick to import or
    export data
    • Mix company data with personal
    data on moblie devices
    Insider threat actors and their effects

    223 ■
    cybercrime is exhibited in the tradecraft
    that is applied once the initial breach is
    The outsider-posing-as-insider is not
    interested in impersonating a particular
    person other than to use the person’s net-
    work or system credentials. Through
    password cracking and other techniques,
    a hacker can exploit the credentials of
    more than one authorized user or admin-
    istrator in the course of an attack. Unlike
    the true insider, the only observables that
    the outsider leaves are those network
    footprints and fi ngerprints that may show
    up in system logs or the actual malware
    code or other digital fragments they
    leave behind.
    ■ The dimensions of the insider threat
    The insider threat is easy to understand in
    concept but very hard to quantify in prac-
    tice. How big of a threat is it? Hard data and
    statistics on the frequency of occurrence and
    the impact of insider threats have histori-
    cally been elusive and remain so. Lack of
    detection and discovery of insider events,
    and an unwillingness to share or report
    them, are two of the primary reasons for the
    paucity of data. Nevertheless, recent insider
    threat surveys and breach data analyses are
    consistent in their main fi ndings, including
    the following:
    � There has been an increase in insider
    threat events in the last few years.
    � Most organizations do not have adequate
    controls in place to prevent or thwart
    insider attacks.
    � Insider attacks are believed to be more
    diffi cult to detect than external attacks.
    � Third parties and other non-employee
    insiders represent a major risk, and
    insuffi cient attention is devoted to
    managing them. Most contracts and
    service level agreements with external
    vendors, suppliers, and business partners
    do not include robust security provisions.
    � Insider policy violations and inappropriate
    activity are often discovered only during
    � The outsider posing as an insider. This
    type of insider is not an insider in the
    true sense, but rather an imposter who
    uses the legitimate credentials of others
    to access the network in ways the real
    user would not. This actor seeks to get
    legitimate credentials using a variety of
    tactics and techniques. He then uses these
    acquired credentials to access password
    fi les, directories and access control lists,
    and other network resources—which is
    made easier if the credentials are already
    those of a system administrator or other
    privileged user.
    As described above, the unwitting insider
    is very commonly exploited by sophisti-
    cated hackers as a soft point of entry for
    advanced attacks. Elaborate penetration
    techniques are hardly needed when a rel-
    atively simple phishing email is likely to
    serve the purpose. Upon achieving initial
    access, the hacker may try to move later-
    ally within the network or to escalate
    access privileges to implant advanced
    malware deeply in the network fabric.
    Phishing is the dominant mechanism
    used today to penetrate networks by even
    the most sophisticated hackers because it
    has a high success rate for very low cost.
    Other social engineering tactics include
    in-person deceit, such as impersonating
    someone in authority, pretending to rep-
    resent the Help Desk, asking someone for
    assistance, or claiming to have left an
    access badge inside the restricted area of a
    facility. It can be a particularly effective
    tactic because people usually try to be
    courteous and helpful.
    Hackers have tricks other than social engi-
    neering to obtain the access they desire.
    Most of the time, though, social engineer-
    ing can be found somewhere along the
    attack chain because it is a powerful and
    effi cient way of getting past perimeter
    defenses. The sophistication we hear
    about in reports of state-sponsored espio-
    nage, hacker networks, and organized

    ■ 224
    � Provide regular insider threat awareness
    training as well as realistic phishing
    training exercises. An organized
    phishing awareness exercise program
    can raise the company’s standard of
    performance in this critical area.
    � Establish a set of institutional values
    refl ecting the desired culture, select
    leaders based on their adherence
    to these values, and include
    demonstration of these values as
    an item on employee performance
    � Building a multi-disciplinary program.
    Establish an executive committee to
    manage an integrated multidisciplinary
    program designed to deter, prevent,
    detect, and respond to insider threats
    and to limit their impact. The program
    should have the active participation of
    the functional organizations across the
    business such as Risk, IT, Cybersecurity,
    Physical Security, Human Resources,
    Fraud, and General Counsel, as
    well as company-specific verticals
    (manufacturing, operations, etc.).
    The program should include the following:
    � creation and oversight of policies
    related to the management of insider
    � regularized workfl ow, processes, and
    meetings to actively and collectively
    review threat intelligence, the internal
    threat landscape, internal indicators of
    risk, insider events, sponsored activities,
    and trends from each subdiscipline
    � implementation and oversight of
    personnel reliability processes from
    pre-employment background checks
    to off-boarding procedures to assess
    and act upon personnel security
    risks, behavioral risk indicators,
    and individual vulnerability to
    � decision-making authority pertaining
    to the integration of programs within
    each vertical, the aggregation of insider
    risk data across the verticals, and the
    corporate response to insider events
    examination of user devices after
    individuals have left the organization.
    � Most incidents are handled internally
    with no legal nor law enforcement action.
    ■ What to do
    The fi rst thing that business leaders should
    do about the insider threat is to take it seri-
    ously. Although there is widespread recogni-
    tion that the threat is very serious, in most
    sectors there is insuffi cient follow-through to
    build the threat-specifi c plans, organization-
    al structures, and controls to deal with it.
    What is needed is a comprehensive approach
    that addresses and leverages the unique
    aspects of the insider threat. Technology by
    itself is not the answer; the critical human
    dimension of the insider threat must also be
    A comprehensive approach would
    include the following:
    � Establishing a threat-aware culture of
    institutional integrity and personal reliability.
    Company culture is a product of many
    factors, but one of the most decisive
    is the behavior of senior leadership
    and the values they model. A culture
    of institutional integrity and personal
    reliability is conducive to success in almost
    any enterprise. Factors for achieving this
    include the following:
    � Create an environment in which self-
    directed employee actions refl ect a
    high degree of institutional integrity
    and personal reliability.
    � Articulate clear expectations in an
    enterprise Acceptable Use Policy
    governing IT resources. This should
    be a formal signed agreement between
    the company and each employee and
    external party who has access to the
    enterprise IT resources or facilities.
    � Create a safe environment in which
    to self-report accidental actions
    that jeopardize security. Removing
    the stigma of having inadvertently
    committed a security violation can help
    minimize impact and help everyone

    225 ■
    (SIEM) systems, pinpoint potentially
    illicit activities by identifying
    anomalies in a person’s IT resource
    and data access patterns.
    � Non-technical. Unique to the insider
    threat is the availability of a large
    amount of relevant non-technical
    behavioral observables. Integrating
    operational intelligence information at
    the intersection of cybersecurity, fraud
    detection, and physical security can
    yield critical insights about potential
    insider threats.
    � Examples of non-technical cyber data
    include the following:
    � email behavior: volume, content,
    and addressees; presence and type
    of attachments
    � workday activities: patterns of on/
    off duty time, including weekdays,
    weekends, and holidays; location
    � job performance: performance
    reviews, productivity, and time
    � indicators of affi liation: degree
    of participation in company-
    sponsored activities; indications of
    discontent through online behavior
    and social media usage.
    Analysis of this type of data through auto-
    mated and manual processes can identify
    patterns of behavior that indicate at-risk
    employees or imminent insider attacks.
    There may also be value in integrating
    external threat intelligence for factors that
    could infl uence at-risk insiders.
    It is important that the company’s legal
    counsel advise the executive committee
    on informing employees of ongoing
    monitoring and how the data will be
    used. Oversight by the executive com-
    mittee is essential to ensure it is operat-
    ed within the bounds of policy.
    � Having a plan. The executive committee
    should develop a detailed (though
    confi dential) action plan for what to do
    in the event of actual or suspected insider
    � defi nition of requirements for employee
    training and awareness of insider
    threats and prevention measures.
    � Building and operating security controls.
    Many of the security controls that already
    exist (or should exist) within the enterprise
    can be effective in detecting, preventing,
    or mitigating the results of insider threat
    activity. Key technical controls include the
    � access controls, particularly for
    privileged users (those with
    administrative authority)
    � data protection, including encryption,
    data loss prevention technology, data
    backups, and exfi ltration monitoring
    � confi guration management and secure
    confi gurations
    � vulnerability and patch management
    � internal network segmentation.
    � Monitoring and detecting insider behavior.
    The program should seek to prevent
    insider attacks by capturing observable
    indicators of potential activity before
    insiders act. Intelligence on the insider
    threat generally comes from within the
    enterprise through either technical data
    or behavioral indicators:
    � Technical. The most signifi cant sources
    of cyber-related technical intelligence
    are the real-time alerts and outputs
    of security appliances, network-
    and host-based sensors, and data
    loss prevention tools, as well as the
    network- and system-level logs that
    are generated automatically (if so
    confi gured) throughout the enterprise.
    In most enterprises these sources
    provide so much data that managing
    and effectively integrating it with
    operations become serious challenges.
    In addition, the volume of data drives
    a need for storage that can become
    acute depending on policy decisions
    regarding what logs are maintained
    and for how long.
    Insider threat-tracking tools in use
    today, such as data loss prevention,
    threat intelligence, and security
    information and event management

    ■ 226
    and conducting operations pertaining to
    the insider threat. Proven approaches and
    practices for addressing this threat are
    available, allowing the company to build
    on the learnings of other organizations.
    (See inset box.)
    ■ Summing up
    Companies often declare that people are
    their greatest asset. Surely the human
    resource is what propels a company for-
    ward. However, the insider threat will
    always be present. Commitment, loyalty,
    and general affi liation with the organization
    cannot be taken for granted. Personal ethics
    and allegiance to the employer collide with
    the chance for selfi sh gains in those who
    have become security risks or who are
    vulnerable to compromise. With legitimate
    misbehavior or law-breaking. The plan
    should describe how and when to contact
    law enforcement and other authorities
    regarding insider threats or actions. It
    should provide a framework of possible
    legal remedies to pursue in the event of
    an insider attack. This action plan should
    be tested on a regular basis through
    scenario-based exercises involving the
    company offi cials who would actually be
    involved if a real event were to occur.
    � Evolving the approach. The executive
    committee should refi ne the program as
    the organization matures in the use of
    this capability within the specifi c business
    � Not ‘going it alone.’ The executive
    committee should take advantage of the
    many resources available for planning
    The following resources can help enterprises deal with the insider threat. Each provides a wealth of
    information on proven approaches and practices that companies can build upon.
    � Insider Risk Evaluation and Audit Tool. This tool is designed to help the user
    gauge an organization’s relative vulnerability to insider threats and adverse behavior
    including espionage against the U.S., theft of intangible assets or intellectual property,
    sabotage or attacks against networks or information systems, theft or embezzlement,
    illegal export of critical technology, and domestic terrorism or collaboration with
    foreign terrorist groups.
    The tool can be used for a number of purposes, including self-audit of an organization’s
    current defenses against insider abuse, the development of a strategic risk mitigation
    plan, and employee training and awareness.
    � CERT Insider Threat Center. Since 2001, the CERT Insider Threat Center has
    conducted empirical research and analysis to develop and transition socio-technical
    solutions to combat insider cyberthreats. Partnering with the U.S. Department of
    Defense, the U.S. Department of Homeland Security, the U.S. Secret Service, other
    federal agencies, the intelligence community, private industry, academia, and the
    vendor community, the CERT Insider Threat Center is positioned as a trusted broker
    that can provide short-term assistance to organizations and conduct ongoing research.
    � Federal Bureau of Investigation. The Insider Threat: An introduction to detecting and
    deterring an insider spy.
    This brochure provides an introduction for managers and security personnel on how
    to detect an insider threat and provides tips on how to safeguard trade secrets.

    SecurityRoundtable.org 227 ■
    occur. Insiders are also the target for care-
    fully scripted phishing tactics; the insider
    who innocently clicks a link in an email may
    enable damage to the company well beyond
    her or his pay grade.
    However, there is much that the organi-
    zation’s executive leadership can do to
    mitigate the insider threat, including estab-
    lishing the right culture, implementing
    security controls, conducting ongoing mon-
    itoring and detection efforts, and being
    ready to respond quickly if indicators point
    to a likely insider threat. The following box
    summarizes the actions that are recom-
    mended here.
    authorization to access company and infor-
    mation resources, a rogue insider can do
    tremendous harm to the company. The
    effects of an insider attack can be felt as
    fi nancial loss, erosion of competitive posi-
    tion, brand degradation, customer aliena-
    tion, and more. The Snowden disclosures of
    2013 have, at least for now, sensitized busi-
    ness leaders to the grave risks posed by the
    insider threat.
    The unwitting insider is the equal of the
    malicious insider in potential damaging
    impact. A momentary and unintentional
    lapse in vigilance regarding security threats
    can be all it takes for a major compromise to
    Summary of actions to address the insider threat
    1. Establish a culture of threat awareness, institutional integrity, and personal reliability
    � Provide regular insider threat awareness training as well as realistic phishing
    training exercises.
    � Articulate clear expectations in an enterprise Acceptable Use Policy governing IT
    � Create a safe environment in which to self-report accidental actions that jeopardize
    2. Build a multi-disciplinary program to deter, prevent, detect, and respond to insider
    threats and to limit their impact.
    3. Build and operate security controls designed to mitigate the insider risk.
    4. Monitor insider behavior:
    � multiple interdisciplinary dimensions
    � draw on outside resources
    � look inside the network for observables of potential insider threat activity

    5. Have a plan for what to do in the event of actual or suspected insider malfeasance
    � Know how and when to contact law enforcement and other authorities regarding
    insider threats.
    � Explore legal remedies.
    6. Be ready to develop your approach as conditions continue to change.
    7. Don’t ‘go at it alone.’ There are many resources available for planning and ongoing
    operations. Best practices can be implemented based on another organization’s learning

    229 ■
    The Chertoff Group – Mark Weatherford, Principal
    The Internet of Things
    In the time it takes you to read this sentence—about eight
    seconds—approximately 150 new devices will have been
    added to the Internet of Things (IoT). That’s 61,500 new
    devices per hour, 1.5 million per day. There are currently
    about 7.4 billion devices connected to the IoT, more than
    there are human beings on the planet. By 2020, according
    to Gartner, there will be 26 billion. Cisco puts the number
    at 50 billion, and Morgan Stanley says it will be 75 billion.
    By any estimation, it will be a lot more devices than are in
    existence today.
    People are beginning to notice this phenomenal rate of
    growth, and some companies are seeing incredible eco-
    nomic opportunities. However, the fact that the fi eld has
    grown so quickly and so dynamically means that some of
    the lessons we’ve learned in the past about security and
    privacy are not being employed—in the interest of fi rst-to-
    market opportunities—and the lack of oversight has
    many wondering about the unknown unknowns.
    These three defi nitions together provide a starting
    point for understanding the IoT and its implications for
    our future:
    � In the physical sense, the IoT is all of those billions of
    devices, installed on apparel, appliances, machines,
    vehicles, electronics—most of them incorporating
    sensors to gather bits of data and then sharing that
    information via the Internet through central servers. The
    concept of the IoT was introduced in 1999 and evolved
    from the Machine-to-Machine (M2M) technology that
    originated in the 1980s, in which computer processors
    communicated with each other over networks. The
    major difference is that most of the new devices cannot
    be considered processors but rather sensors and relays
    that simply facilitate the aggregation of data. Analogous
    to the shift to “cloud” computing, it may be useful to
    consider this new data-generating aspect as “the fog.”

    ■ 230
    is, in that existential meaning, the latest
    iteration of communication technology.
    Of course, as soon as we developed the
    ability to send information over great
    distances in just seconds, some people
    began to look for ways to capture that
    information from sources other than
    their own. Early twentieth century
    wartime code breakers monitoring the
    enemy’s radio communications often are
    mentioned as the fi rst hackers.
    The last aspect of the IoT should cause the
    most concern. As technology has become
    ever more sophisticated in its march toward
    providing greater capabilities for private
    enterprise, governments, and the people
    they serve, so have the tools and strategies of
    the people who would access and use the
    information for more malicious purposes.
    The lack of recognition about the seriousness