1. Modernizing Risk Management to Support Evolution of IT
Mr. Eric Sanders CISO, NRO Director, NRO Cyber Security Office

2. Today’s Presentation Setting the Stage Four Major Issues Resolution
Lack of Expertise
Complex IT Environments
The Slow, Boring Paper Game
Future Attacks
Resolution
Understanding

3. “Driving Digital Transformation”
Setting the Stage
Fujitsu Forum 2016
“Driving Digital Transformation”
11/16/2016
Technology is constantly changing, at ever increasing rates
Ensuring that new technologies are secure is difficult
Traditional risk/compliance assessment is laborious and cumbersome
Risk management must evolve to match the changing nature of cyber security

4. ISC2 “Hiring and Retaining Top Cybersecurity Talent”(2018)
Lack of Expertise
“In all, some 84% of cybersecurity workers are open to new employment opportunities in 2018, including 14% who are actively looking for a change.”
Maintaining skilled workers in the IT industry is difficult
Maintaining those same skills within cyber security is even harder, as indicated by this study by ISC2
Maintaining those skills within risk/compliance assessment is next to impossible
Issues with getting and keeping skilled individuals in risk management
Not the sexy job
Not seen as a technical job
ISC2 “Hiring and Retaining Top Cybersecurity Talent”(2018)

5. Risk Management TechBeacon report from 3/22/2018
Current risk management processes tend to slow down and hinder actual risk management decisions
TechBeacon report from 3/22/2018

6. Complex IT Environments
Traditional risk management separated everything in to systems and provided an assessment of individual systems
Today’s IT environments are so interconnected and trusted that a true risk management must consider the impact of all connected systems
Connections between dev and ops
Government agencies have multiple dev and ops systems
Requires complete understanding of all devices on network, including configurations and changes
Need to understand data and sharing requirements
Fujitsu Forum 2016
“Driving Digital Transformation”
11/16/2016

7. The Slow, Boring Paper Game
By the time compliance is documented the underlying system has changed
Reduction in compliance needs can speed up the process some
Automation of the decision-making process is the real game changer

8. Future Attacks 2017 set new record for vulnerabilities (14,714)
2018 set another new record for vulnerabilities (over 16,500)
Current risk management methods can’t cope with today’s attack vectors
Must be fast but thorough
Must accommodate constant state of change in order to protect against future attack vectors

9. What is the environment?
Understanding
What is the environment?
Not just servers and software, but what should actually be trusted?
What is acceptable risk?
Need to understand the data, vulnerabilities, and threats as well as mitigations
How does risk relate to ROI?
What is the fastest and easiest risk management process given the risk level?

10. Solution Continuous scanning of IT
If the baseline is understood, then risk management is simply an assessment of any changes
Scanning must be automated
Depending on system’s risk level and type of change, allow automated decision-making
Non-complex systems with non-security related changes (i.e., standard desktop updates COTS to latest version)
Risk management for complex systems and security changes can still be fully automated except for the decision

11. Our Approach Automated vulnerability and configuration scanning
Automatically map scan results to NIST security controls
Tie pass/fail of security controls with vulnerability and threat information allowing for an automated risk score
The risk score can be used for an automated risk decision on a continuous basis
Example:
(Current risk score – Lowest possible risk score)
Lowest possible risk score