: Rick Holmes, Assistant Vice President and Chief Information Security Officer , Union Pacific
If we are ever going to make large-scale progress in cyberdefense, we must recognize that large-scale improvements must be driven by business considerations, not by security wizardry. At its heart, cyberdefense is a decision-making, risk-managing machine, fueled by information and designed to deal with real-life business questions: what problems do we really need to solve, in what priority order, and what are our most effective options; how does this affect the overall risk to our business or operation; how do we know we’ve spent a reasonable amount to effectively deal with this; how do we know we are getting better; how do we show others that we have done the right and responsible thing?
In this session, we’ll walk through a real-world example of how a major transportation company is working to rationalize their cyberdefense control strategy and spending in a way that is consistent with their existing way of managing the full spectrum of business risks. Using the example of the CIS Critical Security Controls, we’ll examine how a controls framework translates attack and threat information into positive recommendations (controls). Then we’ll dig more deeply into how a company with an existing, mature risk management process interprets and applies those controls to the specific context of their enterprise. If you are looking for the “easy button”, look elsewhere. Expect a real-world and candid discussion about challenges, successes, dead-ends, and the problems still waiting to be solved.
- How a community-based approach translates millions of data points about attacks into a manageable number of positive control recommendations
- The challenges and struggles of translating any set of security controls into specific plans, priorities, actions
- The perspective of Boards and enterprise executives, and how they see cyber risk
- How to align the “wizardry” of cybersecurity controls into an existing risk management model
- How real-world enterprise experience can improve the development and effectiveness of security controls frameworks
Technical Level: Medium