If we are ever going to make large-scale progress in cyberdefense, we must recognize that large-scale improvements must be driven by business considerations, not by security wizardry. At its heart, cyberdefense is a decision-making, risk-managing machine, fueled by information and designed to deal with real-life business questions: what problems do we really need to solve, in what priority order, and what are our most effective options; how does this affect the overall risk to our business or operation; how do we know we’ve spent a reasonable amount to effectively deal with this; how do we know we are getting better; how do we show others that we have done the right and responsible thing?
In this session, we’ll walk through a real-world example of how a major transportation company is working to rationalize their cyberdefense control strategy and spending in a way that is consistent with their existing way of managing the full spectrum of business risks. Using the example of the CIS Critical Security Controls, we’ll examine how a controls framework translates attack and threat information into positive recommendations (controls). Then we’ll dig more deeply into how a company with an existing, mature risk management process interprets and applies those controls to the specific context of their enterprise. If you are looking for the “easy button”, look elsewhere. Expect a real-world and candid discussion about challenges, successes, dead-ends, and the problems still waiting to be solved.
Technical Level: Medium