Richard O. Moore, III

Cyber Intelligence-Driven Risk


Скачать книгу

hand to do that. The action and outcomes of this specific attack played a significant role in the development of the CI-DR program. One of the important processes that was implemented from the sharing of information through the ISAC was the need for cyber intelligence teams to collect, analyze, and produce reporting of attack vectors to the banking management teams for decisions on how to deploy resources.

      At different phases of the attack other institutions were doing similar activities, and after months of analysis and the velocity and growth of the attacks, teams using the initial vision of the CI-DR program were able to create a predictive analysis when the attack might occur. Most conversations that were happening in business leadership were not the old similar technology mitigation discussions; the conversations quickly changed focus to discuss whether this attack would impact capital reserves, what other risks might be encountered during this unprecedented cyberattack, and what amount of financial transactions and revenue losses would online banking systems and internet-facing systems incur. As these conversations grew and expanded, our organization had a plan to have the accountants and business analysts review the systems and provide transactional and revenue estimations for eight, sixteen, and twenty-four hours to determine the amount of loss each critical system could incur. Much of this information was derived from work done by the risk management team during their Business Impact Analysis reviews, and the “crown jewels” asset risk assessments conducted by the information security and business technology teams. One of the most difficult assessments that the accountants had to deal with was figuring out potential revenue loss and the number of hours it would take to lose it. This process that was incorporated after the attacks subsided is the original iteration of what is commonly called today a fusion center. A CI-DR fusion center can exist when bringing business owners, accountants, technologists, risk managers, cyber intelligence analysts, and cybersecurity personnel together to solve an organizational problem.

      To add additional scrutiny and anxiety for the executives, these plans had to be presented to the US Treasury and our financial regulators, which gave the executive team concern that we would be placed under supervisory letters if our decisions were steadfast. The cyber intelligence analysis from months of attack data was also provided to the Treasury and Regulators so they too could understand that the attackers usually turned off their attacks at 17:00 and that our exposure and loss rate was consistent with our risk models. It was the first time the organization's executives and management felt like they were making cybersecurity decisions and this grew my cyber intelligence program by leaps and bounds. Our intelligence estimates were off by thirty minutes, and we were back online transacting by 17:15 the same day. As the attacks were not subsiding through the spring of that year, the executive team, armed with the information from the collaborative efforts of the fusion team and the cyber intelligence analysis, made the decision to purchase the technology and reduce the financial losses even further. That organization is still using that same approach to mitigating other risks and how they purchase technology today as part of their risk management strategy. By leveraging this proven CI-DR framework it will enhance your cyber program from a pure technology thought to an operational risk program.

The CI-DR framework designed and organized to address and provide reporting to directors and executives, to the risk officers and auditors, and to the leadership of the technology and cybersecurity functions within a company.

      We are positive that after reading this body of work the reader could confidently address the committees, the boards, and the executives when they ask about how the organization is governing its cyber risks. We know this framework has been able to address questions from regulators about the processes and the strategy for identifying, containing, and mitigating emergent cyber threats. Finally, if you are a director and an officer of a company implementing a CI-DR, the framework provides the formalization necessary to show that the organization's risk response and process and the directors and officers have done their due care to protect the company.

       During a cyber incident is not the time to prepare your actions. Preparations are necessary; just as you prepare for financial loss, cyber incidents impact both operations and financial losses.

       Cybersecurity decisions with CI-DR “knowledge” become sophisticated business decisions.

       When cybersecurity leaders speak of business risks coupled with cyber intelligence analysis, any leader can make informed decisions.

       Any cyberattack can be thought of using deprived values and costs, which makes it an operational risk, which is ultimately a business risk. In this case, it was potential market risks, credit risks, and liquidity risks that could be lost due to operational loss. The organization wanted to keep our AA rating, and it didn't want to have customers leave to go to other institutions for banking, and it certainly did not want to take a substantial financial loss from either revenue, fines, or litigation.

      A CI-DR program can have massive impacts and outcomes, as it is built with the purpose of delivering decisions to business leaders. Throughout this book, you will see the terms “information security” or “cybersecurity” used, and in CI-DR there are distinct differences, but for the purposes of this book these terms will be synonymous.