1. CYBERSECURITY STRATEGY: A
REAL WORLD APPROACH
Jim Rutt
CTO
Dana Foundation
February 24, 2016

2. MY BACKGROUND
• 20 Years in technology
• Wide vertical experience in Finance, Healthcare,
Pharmaceutical and Nonprofit.
• Plenty of experience in the practical and governance side
of security including major incident response (9/11, 2003
power outage, 2 hurricanes, and miscellaneous breaches.)

3. WE LIVE IN DIFFERENT TIMES
• Defense in depth alone won’t work, there is no more border to defend thanks to the
rise of cloud and smartphones.
• FUD will only get you so much budget leeway, we have to get smarter with empirical
metrics and data to win the resources we need.
• Education of the end user is one of the most important facets of a cybersecurity
strategy, yet there are limits to efficacy here.
• Its time to stop putting toothpaste back in the tube after its been squeezed out
(audit remediation post-production deployments)
• You need to prepare now to justify the tools coming out in 1-3 years-skating to
where the puck is going, not where it has been.

4. 4 BROAD TYPES OF SECURITY
INCIDENTS
•Natural Disaster (9/11, 2003 Power Outage)
•Malicious Attack
•Internal Attack
•Human Error (Unintentional)**

5. ITS MORE THAN JUST AN “I.T.”
PROBLEM
1) “Its an IT Problem”
2) Its not worth the time to explain to executive management
3) Most of the investment is pure technology
4) You can’t measure ROI
5) Cybersecurity is a one-time project
6) Policies alone will CYA

6. DIFFERENCE BETWEEN “INFORMATION
SECURITY” AND “CYBERSECURITY”
• Chief difference is really in vertical used (gov’t vs. finance
vs. healthcare)
• Information security also encompasses non-digital media
which doesn’t exactly fall under cybersecurity.
• Barring those differences, the two terms have become
interchangeable in the public vernacular.

7. STRATEGY FOR CYBERSECURITY
PROGRAM MANAGEMENT
1. Review of relevant legislation
2. Define benefits and get executive management support
3. Choose a framework
4. Organize implementation
5. Risk Assessment
6. Implementation of Defensive Measures
7. Training and Awareness

8. 1. LEGISLATION
• For VNS, most likely HIPAA is the primary concern.
• Primarily concerned with the protection of PHI.
• Along with HITECH Act, lays out timelines for communication of breaches
• Wealth of information/templates to cover most of the salient points needed for compliance.
(NOREX)
• Long-time focus in the payer community so heightened awareness gives credibility to all
regulatory efforts that you drive.
• PRACTICAL APPLICATION:
• Engage NOREX to fill policy and template gaps (better than writing from scratch)
• 3rd party sources on regulatory subjects.
• Engage internal audit AT START OF PROJECTS, NOT WHEN PRODUCTION IS EXPOSED.
• Coordination with in house compliance and risk executives to close remaining gaps.

9. 2. EXECUTIVE SUPPORT
• You’ll need resources to execute (some great tools you’ll see today!)
• You need to be able to talk their language, not the Vulcan we speak.
• Our internal metrics aren’t on your typical executives radar!
PRACTICAL APPLICATION:
• Use implementation of cybersecurity related processes into business process to
show direct correlation (and by proxy justification)

10. 3. CHOOSE FRAMEWORK
• Many frameworks available (ITIL, ISO 27001, COBIT,NIST SP 800, etc)
• ISO 27001 is a good framework for those not bound by any conflicting regulatory
requirements.
• Provides defensive posture for both internal and external audit functions.
• Key is to keep it simple enough but provide a structure to show governance.
PRACTICAL APPLICATION:
• I’ve found ISO 27001 easier to follow then ITIL in my experience. Quicker time to
implementation. Free starter toolkits at http://www.iso27001security.com/html/toolkit.html
• Formal certification is not necessary in all cases.

11. 4. ORGANIZE IMPLEMENTATION
• Basic project management of your cybersecurity strategy, using the framework of your
choice as your project plan.
• Budget properly from a time and human resource. straightforward.
• Basic PMP 101.
PRACTICAL APPLICATION:
• Identifying budgetable items and tying directly to framework deliverables speeds approval
of said line items (especially using an ISO standard framework) because of the implied
justification.
• Tools available (ex: ISO 27001 from previous slide).
• ROSI(Return on Investment) calculator: http://advisera.com/27001academy/free-tools/free-
return-security-investment-calculator/

12. 5.RISK ASSESSMENT
• Essentially you are identifying those risks that are tolerable and those that must be
eliminated. Not all risk can or should be eliminated.
• Use of a risk matrix can be used in conjunction with framework items at a minimum
to address know risks and grade their severity.
PRACTICAL APPLICATION:
• There are dozens of risk matrix templates out there, but a good risk matrix I’ve
modeled my work after: http://anahiayala.com/2011/12/14/crisis-mapping-and-
cybersecurity-part-ii-risk-assessment/
• Vendor rating (partner relationships/”supply chain”): companies like RiskRecon can
give great insight on trustworthiness and risk assessment for your
upstream/downstream partnerships.

13. 6.IMPLEMENTATION OF DEFENSIVE
MEASURES
• You need to be searching out the most advanced tools and the newest technologies
to at least stay on par with the ever evolving threats persistent in the wild.
• A broader view is required as there are no borders as in the past. Defense in depth
strategies alone are not enough.
• Incident response/BC/DR should be practiced regularly.
PRACTICAL APPLICATION:
• Our move to a 100% cloud-based infrastructure has offloaded a number of risk
variables onto respective providers. Tremendous cost and time savings from self-
remediation of garden-variety risk-based issues.
• Examples of actual tools we’ve adopted are at the end of this presentation.

14. 7. TRAINING AND AWARENESS
• As stated before, end users are the weakest link in the chain of cybersecurity program
management.
• Key is not to overwhelm, but to promote awareness
• End users are already overwhelmed by the rate in change in technology in general, and they
are fearful for their livelihoods as this change progresses..
• Wherever possible, you have to adopt the posture of protecting your end user base from
themselves. They aren’t always equipped to cover all the gaps themselves.
PRACTICAL APPLICATION:
• We are looking into using gamification as a means to keep security awareness at the
forefront of end-user computing activities without “shoving it down their throats”
• Phishing-type programs have some impact, but I question the ROI on these.
• “Think before you Click” campaigns are much more effective (and cheaper).

15. Dana
iLand
Ektron Hosting
AD Hosting
Salesforce
FC
Base Product
Portals
UCD
Supporting
Apps
Linkpoint
Drawloop
Docusign
Timesheets
(summer 2016)
Base Licenses
User
SFC
Okta Office 365
Exchange
Sharepoint
Yammer
Zendesk Egnyte Security
Ensilo
Vera
Skycure
Netskope
Menlo Security
Azure
GP
Papersave

16. NETSKOPE: SEPTEMBER 2014
• Cloud Security Access Broker.
• Policy based enforcement.
• Also great for understanding what
other SaaS/PaaS applications (other
than corporate sanctioned) are
used/preferred by constituents.
• Beginnings of cloud based DLP for
Dana.

17. MENLO SECURITY: JANUARY 2015
• Proxy-based Content Isolation.
• Prevents rogue/malware from
being directly rendered.
• Zero impact on end users.
• Policy enforcement built-in.
• Traditional Content filtration also
built-in.

18. VERA: NOVEMBER 2014
• File based access control.
• Can be enforced organization
wide or ad hoc.
• MOST IMPORTANT: Allows
tracking of content as it moves
outside your control.

19. ENSILO: SEPTEMBER 2015
• Real-time, exfiltration
prevention platform.
• Endpoint based.
• Very easy to deploy.
• In lab tests, stopped every piece
of ransomware and APT we
threw against it.

20. THE END