Does your company have a documented cyber-threat strategy? Here are five key questions to help you assess your stategy, along with links to more information about developing cyber threat risks assessments and response plans.

1. Can Information
Security Prevail?

2. NOT WITHOUT A
Cyber-Security Strategy!

3. Does your company have a cyber-threat strategy?
In a recent survey…
only 53% of respondents have a documented
security strategy,
and only 47% indicated that their
current strategy adequately addresses the risks.
- Ernst & Young's Global Information Security Survey
Does your company have a
documented strategy with a
realistic and comprehensive
cyber-security plan?

4. Thinking you have a plan when
you do not, is dangerous
If system administrators and management believe they
have a cyber-security strategy, they are less likely to
actively allocate and focus resources.
It becomes easy to be complacent and ignore risks, hoping
the status quo is sufficient and then be surprised when it is
not.
The next five key questions can help you
assess your company’s strategy.

5. 1. Does your strategy identify threat agents who will be
attacking your organization over the next 3 to 5 years?
A defense posture can only be
evaluated in relation to threats.
Without knowing the
attackers, defenders remain in the dark
and are forced to protect from risks both
real and imagined.
The first step to any realistic strategy
is to know who the opposition is, both
today and in the future, thereby
understanding their capabilities,
objectives, and likely methods.
McAfee's 2012 Threat Predictions report is a
great document to start your analysis.

6. 2. Does your strategy articulate how you will
likely be attacked by those threat agents?
Understanding your IT environment,
where it is less secure, and how
specific threat agents will attack over
time, is imperative to a strategy.
Does the strategy talk about generic worms
viruses, and system patching? Or does it
take into account likely exploits paths….the
ones which align to the common methods of
pervasive threat agents?
For more on Intel IT’s cyber-security strategy,
read our Threat Agent Risk Assessment paper.

7. 3. What impacts and losses are estimated from
these attacks, given the expected defenses?
Strategy is about planning. Planning
security is about finding the right balance
between spending for controls, versus the
residual losses of an attack that are
acceptable. Without knowing the likely
losses, even at a generic level, it is
impossible to plan forward.
You can learn more about Intel IT’s new enterprise security
strategy, in our Rethinking Information Security paper.

8. 4. How do your security budget and
efforts align to acceptable levels of loss?
Impervious security, where no losses
occur, either do not exist or are far
too costly to employ.
Some losses are inevitable and knowing
the range that is acceptable to
management and/or shareholders is
essential. If your company is outside the
range, it should trigger plans to increase
or contract your security spending.
Intel’s model for measuring the value of security investments
paper includes prioritization against a variety of threats.

9. 5. Who is responsible for the care and maintenance
of your company’s security strategy?
Given the rapid and unpredictable
nature of security
threats, vulnerabilities, and impacts, a
strategy must be continually assessed and
adapt accordingly.
Without clear ownership, most strategies
quickly become stale and worthless. Without
a person entrusted and empowered to
actively plan and manage the cyber-threat
security strategy, your answers to questions
1 thru 4 become irrelevant.
Malcolm Harkins, Intel’s Chief Information Security
Officer, talks about balancing business growth versus risk
in this "Can Information Security Survive?" webcast.

10. Don’t become discouraged if your company does
not have a robust cyber-security strategy…
it is the norm, not the exception.
Collectively, we are still at the
beginning of this endeavor and
have much to learn. Rushing to
claim maturity is not the prudent
path. Be realistic and recognize
where you company is and
where it needs to be.

11. Intel IT is passionate about driving business
value through innovation and sharing IT best
practices with our industry peers.
Learn more about Intel IT’s information
security initiatives at: Intel.com/IT

12. Legal Notices
This presentation is for informational purposes only. INTEL MAKES NO WARRANTIES, EXPRESS OR
IMPLIED, IN THIS SUMMARY.
Intel, Intel logo, are trademarks of Intel Corporation in the U.S. and other countries.
* Other names and brands may be claimed as the property of others
Copyright © 2012 Intel Corporation. All rights reserved.
Copyright © 2012, Intel Corporation. All rights reserved.