to the Treasury and Regulators so they too could understand that the attackers usually turned off their attacks at 17:00 and that our exposure and loss rate was consistent with our risk models. It was the first time the organization's executives and management felt like they were making cybersecurity decisions and this grew my cyber intelligence program by leaps and bounds. Our intelligence estimates were off by thirty minutes, and we were back online transacting by 17:15 the same day. As the attacks were not subsiding through the spring of that year, the executive team, armed with the information from the collaborative efforts of the fusion team and the cyber intelligence analysis, made the decision to purchase the technology and reduce the financial losses even further. That organization is still using that same approach to mitigating other risks and how they purchase technology today as part of their risk management strategy. By leveraging this proven CI-DR framework it will enhance your cyber program from a pure technology thought to an operational risk program.
Figure I.1 shows how the CI-DR framework is designed and organized to address and provide reporting to directors and executives, to the risk officers and auditors, and of course to the leadership of the technology and cybersecurity functions within the company. The reporting to the directors and executives mostly covers the areas of what the cyber program is doing to enhance or contribute to how the organization governs and responds to risk. In many organizations the business objectives drive how the organization handles risk and are key to how the CI-DR framework ties its goals and missions to assisting the business in meeting those objectives. Committees are another area where the CI-DR program provides analysis and input for reporting. As we mentioned, consequences of loss are listed in the International Standards Organization's Risk Management standard and that taxonomy can be used to provide a one-to-many or many-to-many from CI-DR capabilities and functions to a risk mitigation process, technology, or exposure. Risk management and compliance professionals are businesspeople, and they need to have technologists speak a common language to help them also protect the organization against risk. The CI-DR also provides for compliance, internal auditors, and technology leadership with the ability to report on the maturity and performance of the functions and capabilities. Maturity reporting within the CI-DR framework gives the various organizations using this framework the confidence to not have to compare themselves to others, to determine their needs based on size and budget and skills available in the area, as well as providing the overall understanding that cybersecurity is an operational risk that can be understood by non-technologists.
FIGURE I.1 CI-DR's business value.
We are positive that after reading this body of work the reader could confidently address the committees, the boards, and the executives when they ask about how the organization is governing its cyber risks. We know this framework has been able to address questions from regulators about the processes and the strategy for identifying, containing, and mitigating emergent cyber threats. Finally, if you are a director and an officer of a company implementing a CI-DR, the framework provides the formalization necessary to show that the organization's risk response and process and the directors and officers have done their due care to protect the company.
NOTES
During a cyber incident is not the time to prepare your actions. Preparations are necessary; just as you prepare for financial loss, cyber incidents impact both operations and financial losses.
Cybersecurity decisions with CI-DR “knowledge” become sophisticated business decisions.
When cybersecurity leaders speak of business risks coupled with cyber intelligence analysis, any leader can make informed decisions.
Any cyberattack can be thought of using deprived values and costs, which makes it an operational risk, which is ultimately a business risk. In this case, it was potential market risks, credit risks, and liquidity risks that could be lost due to operational loss. The organization wanted to keep our AA rating, and it didn't want to have customers leave to go to other institutions for banking, and it certainly did not want to take a substantial financial loss from either revenue, fines, or litigation.
A CI-DR program can have massive impacts and outcomes, as it is built with the purpose of delivering decisions to business leaders. Throughout this book, you will see the terms “information security” or “cybersecurity” used, and in CI-DR there are distinct differences, but for the purposes of this book these terms will be synonymous.
NOTES
1 1 International Electrotechnical Commission, Risk Management – Risk Management Techniques, 2009–2011, www.iec.ch/searchpub
2 2 Financial Services – Information Sharing and Analysis Center, 1999, located on the internet at https://www.fsisac.com/who-we-are
3 3 SEC memo
CHAPTER 1 Objectives of a Cyber Intelligence-Driven Risk Program
Knowledge must become capability.
– Carl von Clausewitz, Prussian general
ANY FRAMEWORK, methodology, or process has to have objectives and outcomes. The CI-DR™ program strives to achieve two objectives. First, the program provides accurate, timely, and relevant knowledge about cyber adversaries and the digital environment in which it operates. Adversaries within the cyber ecosystem are internal or external. An internal cyber adversary could be an employee, contractor, or someone with an objective and the physical or logical access to information otherwise not known to the public. External cyber adversaries include malicious actors, nation-states, competitors, or even outsourced platforms or processing environments and those employed or influenced there.
To achieve the first objective of the CI-DR program, there are four tasks that are required to be performed. First, the program must evaluate the existing cyber conditions, cyber risks, and potential operational losses from cyber events and incidents while taking into account the many internal or external adversarial capabilities holistically. Second, based on existing cyber conditions and cyber capabilities, the program estimates possible cyber adversarial courses of action and provides insight into possible future actions. Third, the program aids in identifying vulnerabilities that could be exploited by adversaries and the operational impact it can have on the organization. Fourth, the program and the “knowledge” created assists in the development and evaluation of the organization's courses of action for decisions based on the first three tasks.
The second objective of the CI-DR program is to protect organizations, through cyber counterintelligence activities, intending to deny adversaries valuable information about an organization's situation. These two objectives demonstrate how the CI-DR cyber risk programs support both the exploitative and protective elements necessary to operate in today's digital economy and infrastructure. The program aims to create timely and meaningful images of the situation confronting the decision-maker. CI-DR is the analysis and synthesis of information into knowledge. CI-DR cyber intelligence is “knowledge” that is distinguished from information or data, in that few pieces of information speak for themselves conclusively but must be combined and compared with other pieces of information, analyzed, evaluated, and given meaning.1 Good
