Cybersecurity Cyber Roles

The 'C' suite are primarily responible for the high level strategy & implementation of safeguards. For example, CEO, CIO, CRO (Chief Risk Officer), CFO, CISO (Chief Information Security Officer), CPO, etc. Cyber risk management requires co-operation and communication between the various executives. They establish corporate management policies and oversight and make decisions on major company issues, including cybersecurity.

In the USA, cyber events are now among the top 3 reasons for director and officer actions brought by shareholders. Some regulators now require the board of directors to approve the organisation's cybersecurity plan. This has led to some borads having cybersecurity experts as part of the board of directors makeup.

New roles are being established such as:

The CIO aims to keep data flowing
The CISO wants to restrict data use and access
The Board are required to ensure both roles can be executed with appropriate controls
Boards must review and approve cybersecurity policies and procedures
The Board must understand third party vendor risk
They must be familiar with the regulatory requirements
such as: GDPR, Insurance Data Security Act (USA), Privacy Act
etc
Companies that grow through acquisition must integrate their cybersecurity strategies into the new acquisitions
Weak cybersecurity in a company that is acquired leads to weak cybersecurity in the parent company if this is not addressed

Verdors have a relationship to digital assets. They may implement systems and process data that is related to the company. They must maintain security of your assets. Many breaches of data have occurred because of poor security provided by vendors. So vendors should not be blindly trusted and clear written agreements with vendors are vital.

Cybersecurity Attack Surfaces

There are two categories of attack surfaces: Global attack surface from the Internet and Enterprise attack surface from internal.

Cybersecurity Assets

The digital assets can be categorised as: safety critical, misson critical, and transactional

Cybersecurity IoT

IoT devices are designed and built quickly, but security is usually an afterthought. The consequence is that there are millions of IoT devices that have little or no security.

Cybersecurity CIA Triad

Confidentiality – first mentioned in 1976 by the US Air
Force
Integrity – 1987 – from a paper that identified the need
for data accuracy in the financial sector
Availability – 1988 – from discussions after the first
Denial of Service attack – the Morris Worm

Cybersecurity Regulations

A regulation is a legal directive that establishes mechanisms that should/must be put in place

The GDPR or Gneral Data Protection Regulation is a European standard that is designed to protect personal data.

Cybersecurity guidelines may utilise established frameworks to provide clear guidance and steps for implementing the guidelines

NIST – the National Institute of Standards and Technology provides a cybersecurity framework (800-53) for USA federal agencies.

International Standards Organisation: ISO/IEC 2700 family of standards that addresses how a management system measures specific requirements to manage the system from a cyber security perspective

Cybersecurity PCI-DSS

PCI-DSS or Payment Card Industry Data Security Standard 2004, updated every 2 years.

6 major control objectives:
Build & maintain a secure network
Protect cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy

Cybersecurity Maturity Model

1: Cyber Governance - Measure how involved the organisation is in the governance of cybersecurity?
2: Reporting Methods: How are the cyber reports for the board created?
3: Security Team: How many people are on the team? Full time or Part time? Security, business or IT?
4: Security Tools: Which cybersecurity tools are used? How are they used? By which teams?
5: Risk Management Program: Risk, Vulnerability or Incident focussed?
6: Vendor Management: Are third parties being assessed? To what level?
7: Security Reporting: Who does the head of security or CISO report to?
8: Decision Makers: How many decision makers for cybersecurity are there?
9: Security Lead: What role takes accountability for cybersecurity?
10: Privacy Lead: Is there a privacy lead and if so, who is it?
11: Leadership: Who is driving cybersecurity purchases?
12: Security Investment: What is the level of security investment?
13: Cybersecurity Exposures: How many baseline exposures are there?
14: Weaknesses: What are the most prominent weaknesses int the cyber program?
15: Cyber Insurance: How much cyber insurance does the organisation have?
16: Digital Asset Management: How is this done - spreadsheets, a single system, an integrated system?
17: Disaster Recovery Program: How much confidence is there in the Disaster Recovery Plan?
18: Cyber Tool Strategy: What is the focus of the cybersecurity tool purchases?

这两个问题可以最后考试会考
what is the maturity model level on these companies?
Is this quite a good model?

Tactical Maturity companies have a cybersecurity team

• Generally do not have a C-level executive
• One or two people on the cybersecurity team
• Companies in this category may have a turnover of US$1 billion annually
• Heavy focus on compliance
• Basic security tools:
  Off The Shelf
  Have an IT mindse

Focused Maturity companies have an understanding of cybersecurity and the impact to their business if there is an attack

• Senior leadership with an established reporting process
• Standardised incident management
• Operationally integrated multiple threat intelligence sources
• Implementation of layered defenses
• May rely too heavily on technology
• Security leadership is more centralised but with limited control over cloud services
• May implement cyber insurance

Strategic Maturity companies have integrated people, process and cybersecurity tools

• Proactive about cybersecurity and risk management
• Larger security teams with more resources
• Understanding that security partners are required
• Greater appreciation and understanding of the threat landscape
• An inciteful perspective on priority issues and actions
• Security leader who is C-level

Pervasive Maturity companies embrace cybersecurity as an
enterprise risk

• Limit cybersecurity threats by:
  sophisticated integration of detection and protection capabilities
  Well-planned remediation and recovery activities
• Standardise and embed security activities across their business processes
• Do not solely rely on technology
• Entire business has some engagement in security planning and execution

战术成熟度（Tactical Maturity）：

特点：
有一个网络安全团队，但没有C级高管。
小团队（1-2人）。
关注合规性。
使用基础的、现成的安全工具。
IT思维模式。
年营业额可能为10亿美元。
对应的通用成熟度级别：已管理（可重复）。这一级别表明有一些基本的网络安全流程，但可能是反应性的，没有完全整合或优化。
聚焦成熟度（Focused Maturity）：

特点：
理解网络安全及其对业务的影响。
有高级领导和建立的报告流程。
标准化的事件管理。
集成了多个威胁情报来源。
实施了分层防御。
可能过度依赖技术。
中心化的安全领导，但对云服务的控制有限。
实施了网络保险。
对应的通用成熟度级别：已定义。流程更加理解并系统化管理，有更好的整合和标准化。
战略成熟度（Strategic Maturity）：

特点：
整合了人员、流程和网络安全工具。
主动进行网络安全和风险管理。
更大的安全团队和更多的资源。
理解需要安全合作伙伴。
更深入理解威胁环境。
对优先问题和行动有洞见。
安全领导是C级高管。
对应的通用成熟度级别：量化管理。有一个主动的方法，投入了大量资源和领导，重点在于持续改进和整合。
普遍成熟度（Pervasive Maturity）：

特点：
将网络安全视为企业风险。
通过复杂的检测和保护能力整合来限制网络安全威胁。
有计划的补救和恢复活动。
将安全活动标准化并嵌入到业务流程中。
全公司参与安全规划和执行。
对应的通用成熟度级别：优化。组织有完全整合的成熟流程，重点在于持续改进和全企业参与的安全实践。