This presentation was delivered at the 2018 ISACA Security and Risk Conference in Halifax, Nova Scotia.

1. From Boardroom to War Room:
Practical Application of the NIST
Cybersecurity Framework
2018 ISACA SECURITY & RISK CONFERENCE
29 OCTOBER 2018

2. Speaker Bio 2
Rob Samuel, CISSP
Chief Cybersecurity Officer
Province of Nova Scotia
Contact Information:
Robert.Samuel@novascotia.ca
(902) 222-6685
Experience
 Communications and Electronics Engineering Officer (2001-2006)
 Senior System Analyst (2006-2010)
 Manager – Client Services (2010-2013)
 Senior Advisor – Cyber and IT Security (2013-2016)
 Chief Cybersecurity Officer (2016-Present)
Education
• Bachelor of Technology (Information Management) – Cape Breton University
• Computer Information Systems (Diploma) – Cape Breton University
• Canadian Forces School of Communications and Electronics
• Information Assurance and Security – University of Winnipeg
Boards and Affiliations
• National CIO Subcommittee on Information Protection (NCSIP) - Chair
• Microsoft Canadian Security Council - Member

3. Presentation Outline 3
Possible Solutions
How I Use The
Framework
Overview of the
Problem
Cybersecurity
Framework
Overview

4. ARE WE SECURE?
4

5. A CLEAR VIEW OF RISKS, THREATS, IMPACTS, ETC.
5

6. SECURITY OFTEN SPEAKS A DIFFERENT LANGUAGE
6

7. FEAR, UNCERTAINTY AND DOUBT
7
What Doesn’t Work?

8. FEAR, UNCERTAINTY AND DOUBT
8
What Doesn’t Work?

9. ACRONYMS (WE NEED TO SPEAK THE SAME LANGUAGE)
9
What Doesn’t Work?
Source:
RSA Conference 2017
Briefing the Board: Lessons
Learned From CISOs and
Directors

10. PEW! PEW!
10
What Doesn’t Work?

11. Presentation Outline 11
Possible Solutions
How I Use The
Framework
Overview of the
Problem
Cybersecurity
Framework
Overview

12. SHOW HOW CYBERSECURITY HELPS MANAGE
BUSINESS RISKS ( IT’S NOT AN IT ISSUE)
12
Business Risks
Financial Risk
Operational Risk
Strategic Risk
Reputational Risk
Cybersecurity
Bad Outcomes &
Negative Impacts
A breach of information exposes a sensitive
strategic organizational priority.
A ransomware infection prevents access to
medical records and impacts the ability to
deliver services to patients.
A cyber attack prevents us from processing
financial transactions (lost employee
productivity, litigation) or manipulates staff
to send money to fake accounts (cyber-
enabled financial fraud).
Inadequate security causes a loss or
disclosure of private information resulting
in loss of public trust.
Confidentiality
Risks could hinder the organizations ability to achieve its priorities and objectives
Integrity
Availability
Third Party
Medical equipment is installed with
security weaknesses allowing threat actors
to alter drug dosing (potentially lethal
consequences).
Patient Safety Risk

13. SANS SECURITY MATURITY MODEL
13
Some Options That May Work

14. GARTNER IT SCORE OVERVIEW FOR
SECURITY RISK MANAGEMENT
14
Some Options That May Work

15. GARTNER FOR IT LEADERS TOOLKIT
15
Some Options That May Work

16. Presentation Outline 16
Possible Solutions
How I Use The
Framework
Overview of the
Problem
Cybersecurity
Framework
Overview

17. FRAMEWORK:
“A frame or structure composed of
parts fitted and joined together.”
17

18. 18Establishing a Common Lexicon
A framework is a foundational tool to communicate with stakeholders at all levels.
CISO Clients & Stakeholders
Common Language to help organizations understand, manage
and reduce cybersecurity risks
 A framework helps your organization understand:
 Where you are today?
 How you are doing?
 Where do you need to improve?
 How do you measure progress?
Cybersecurity Framework

19. 19Establishing a Common Lexicon
Source: NIST Cybersecurity Framework 101

20. 20The Framework Has 5 Core Functions
Do We Understand Our Risks?
Do We Have Adequate Safeguards?
Can We Detect Anomalies and Incidents?
Can We Address Incidents?
Can We Effectively Restore Capabilities Post-Incident?

21. 21Core Functions Are Broken Down Into Categories

22. 22Categories Have a Reference ID

23. 23Categories Are Mapped to Subcategories

24. Presentation Outline 24
Possible Solutions
How I Use The
Framework
Overview of the
Problem
Cybersecurity
Framework
Overview

25. Perform a Self Assessment 25

26. Establish Your Baseline Maturity 26

27. 27
Communicate Your Security Maturity
(Americas)
Initial Repeatable Defined Managed
Industry
Benchmark
Identify
Protect
Detect
Respond
Recover
Function
Targeted Maturity
by FY 20-21
Current
Maturity
World-Class
Benchmark
Optimized

28. 28
Initial Repeatable Defined Managed
Industry
Benchmark
Identify
Protect
Detect
Respond
Recover
Function
Targeted Maturity
by FY 20-21
Current
Maturity
World-Class
Benchmark
Optimized
Communicate Your Security Maturity
(APAC)

29. 29Build Your Security Program Roadmap
2018 2019Major Themes
Increase
Situational
Awareness
Endpoint
Protection
Incident
Response
Plans
Create Incident Response Playbooks
Identify
Protect
Detect
Respond
Recover
Function
Governance
Risk Assessment
Establish Cyber Risk Council
Network Monitoring
User Education
& Awareness
Procure & Deploy Tanium
Update Awareness Policy
Asset Inventory Identification & Prioritization
Define Incident Response Roles & Responsibilities
Windows XP UpgradeCore
Enhancements
Multi-Factor Authentication
Communications Plan & Process
Deploy Cofense

30. TACTICAL PLAN
ASSET INVENTORY
30
Work Status: Implementation Stage
Project Description:
Procure and implement an asset inventory suite.
Key Milestones/Tasks Date Status Comments
1. Obtain permanent O&M funding Complete
2. Convert existing services to new service Complete
3. Declare updated service operational Complete
4. Automate reporting and asset management In-Progress
Identify
Protect
Detect
Respond
Recover
Function
How Will We Measure Success
Key Metric Target
Hardware and software
automatically detected in real-time
100%
Identification of unauthorized
hardware and software
100%
Strategic Objectives Supported
• [Objective #1]: Drive efficiency and cost reduction
• [Objective #2]: Increase security
• [Objective #3]: Reduce client downtime
• [Objective #4):
• [Objective #5]: Improve situational awareness
• [Objective #4]:
Potential Issues / Implementation Risks
• [Issue #1]: No procurement vehicle in place
• [Issue #2]: Migrating to a new tool
• [Issue #3]: Subscription Service model
Resource Summary
• Team leader / Point of Contact: Rob Samuel
• Core team members:
• Vendor liaison:
Investment Status: Approved
Cost Estimates (Indicative)
Category Cost
Capital Procurement $
Implementation $
Sustainment (O&M) $
Sustainment (FTE)

31. TACTICAL PLAN
INCIDENT RESPONSE
31
Work Status: In Progress
Project Description:
Develop and implement security incident response playbooks.
Key Milestones/Tasks Date Status Comments
1 Not Started
2 1/28/2016 Not Started
3 2/3//2016 Not Started
4 2/8/2016 Not Started
Identify
Protect
Detect
Respond
Recover
Function
How Will We Measure Success
Key Metric Target
Strategic Objectives Supported
• [Objective #1]: Decrease time to resolve incidents
• [Objective #2]: Increase efficiencies
• [Objective #3]: Reduce client downtime
• [Objective #4):
• [Objective #5]:
Potential Issues / Implementation Risks
• [Issue #1]:
• [Issue #2]:
• [Issue #3]:
Resource Summary
• Team leader / Point of Contact:
• Core team members:
• Vendor liaison:
•
Investment Status: Pending Approval
Cost Estimates (Indicative)
Category Cost
Capital Procurement
Implementation
Sustainment (O&M)
Sustainment (FTE)

32. Map Your Plans and Requests to the Framework 32
Identify
Protect
Detect
Respond
Recover
Function
Increase Workforce Education and Awareness
 Set a tone from the top in support of enterprise-wide cybersecurity improvements
 Support the implementation of mandatory annual cybersecurity awareness training
 Support internal phishing campaigns
Mitigation Plan
Overview
How You Can Help
Risk Status: Our employees and staff are largely unaware about cyber threats. Tricking
unexpecting people (social engineering) into opening fake emails or malicious documents/links
(phishing attacks) is the most common cause of cybersecurity incidents and data breaches.
Risk Velocity: We can’t block all phishing attacks, approximately X phony emails get past our
defences and are delivered to staff email inboxes each month and X% - X% of staff falling victim.
 Implement an enterprise-wide cybersecurity awareness and education program
 Improve the effectiveness of our existing secure email gateways (blocks fake emails)
 Investigate alternative secure email gateway solutions
 Implement modern anti-virus solutions to help protect users from malicious emails
 Launch internal phishing campaigns to help users learn and reduce their susceptibility

33. Use Lessons Learned from Security Incidents
as Roadmap Updates 33
Lessons Learned Remediation Steps
Critical systems lack good controls hygiene, leaving
them vulnerable to known malware.
Work with IT to improve security controls hygiene
tracking on critical systems and create incentives for
better performance.
Incident response is hampered by a lack of pre-
defined communication channels.
Establish an incident response playbook and define
roles, responsibilities and communications channels
for all stakeholders.
These are inputs into our cybersecurity roadmap
Perform a series of table top exercises to practice
incident response and refine incident response
processes with stakeholders.

34. Apply Lessons Learned to Plan Improvements 34
Added Post
Breach
2018 2019Major Themes
Increase
Situational
Awareness
Endpoint
Protection
Incident
Response
Plans
Create Incident Response Playbooks
Identify
Protect
Detect
Respond
Recover
Function
Governance
Risk Assessment
Establish Cyber Risk Council
Network Monitoring
User Education
& Awareness
Procure & Deploy Tanium
Update Awareness Policy
Asset Inventory Identification & Prioritization
Define Incident Response Roles & Responsibilities
Windows XP UpgradeCore
Enhancements
Multi-Factor Authentication
Communications Plan & Process
Deploy Cofense
Establish Pre-Defined
Communication Channels
Identify Control Owners
Improve
Hygiene
Set Hygiene Goals
Measure & Report
Improvements
Table Top 1 Table Top 2

35. Explain How Cyber Incidents to
External Companies Relate to Your Organization 35
The attacker deliberately damaged the SCADA
system (servers and workstations) to delay the
restoration of power. Staff switched to ‘manual
mode’ and restore the system.
State-sponsored attacker gained access into the
power company’s SCADA using a known piece of
malware. Effective patching may have prevented
the attacker from gaining access to systems.
The attacker flooded call centers to disrupt customer
reports of power outages and launched a
coordinated DDoS attack on the company website.
Improved controls would have reduced the
impact of these attacks.
Ukraine Attack
Identify
Protect
Detect
Respond
Recover
Function Our Organization
We have the capability to switch to back-up, off-
line critical systems in the event of a disruption.
We are investing and will upgrade our DDoS
protection.
We continue to prioritize system patching as part
of our security controls hygiene.

36. Closing Recommendations

37. Gather Information About Your Environment
(Provide Fact-Based Evidence)
37
• Technical & Administrative Details
• Business Units, Departments, Services,
• Governance, Assets, Processes, Architectures, Capabilities, etc.
• Historical Information Sources
• Cyber Insurance
• Organizational Risk Assessments
• Continuous Improvement Plans
• Audits or Independent Assessments
• Comparison to Industry Best Practices
• Center for Internet Security – Top 20 Critical Security Controls
• Communications Security Establishment – Top 10 IT Security Actions
• Australian Signals Directorate - Essential Eight Cybersecurity Incident Mitigation Strategies
• Gartner – IT Key Metrics Data

38. Perform Self Assessments
(Center for Internet Security – Critical Controls)
38
Source: Audit Scripts
CSC initial assessment tool v7

39. CENTER FOR INTERNET SECURITY –
CRITICAL SECURITY CONTROLS
39
Inventory and Control
of Hardware Assets
1
Inventory and Control
of Software Assets
2
Continuous
Vulnerability
Management
3
Controlled Use of
Administrative
Privileges
4
Secure Configuration for
Hardware and Software
on Mobiles, Laptops,
Workstaitons and Servers
5
Maintenance,
Monitoring and
Analysis of Audit Logs
6
Email and Web
Browser Protections
7
Malware Defences
8
Limitation and Control
of Network Ports,
Protocols and Services
9
Data Recovery
Capabilities
Secure Configuration for
Network Devices
(Firewalls, Routers,
Switches)
Boundary Defence
Data Protection
Controlled Access
Based on Need to
Know
Wireless Access
Control
Account Monitoring
and Control
Implement a Security
Awareness and
Training Program
Application Software
Security
Incident Response and
Management
Penetration Tests and
Red Team Exercises
10
11
12
13
14
15
16
17
18
19
20
Not Met
Partially Met
Implemented
Baseline Your Org Against Best Practices
(Center for Internet Security – Critical Controls)

40. ΩCYBERSECURITY STRATEGY AND PLANNING
40

41. • Mission
• Vision
• Mandate
• Principles
• CharterPurpose
• Current State / Gaps
• Strategic Plan
• Priorities
• Action Plan
• Roadmap
Strategy
• Organizational Structure
• Governance
• Authorities
• Business Processes
Organization
• Function, Category, Role
• Knowledge & Skills
• Strategic Intake Plan
• Succession Planning
• Talent Management
People
• IT Capabilities
• Budget Allocations
• HR Allocations
• Organizational Priority
Supports
• Outcomes
• Business Benefits
• KRI’s / KPI’s
• Security Maturity
• Annual Report
Results
Enterprise Cybersecurity Program Planning

42. 1. Understand Your Audience
• Articulate the Business Risks
2. Keep It Simple
• No Acronyms
• Easy to Understand Language
• Be Brief, Be Bright, Be Gone
3. Do Not Use Fear, Uncertainty and Doubt
• Provide Facts, Relevant to Your Industry / Organization
4. Map Topics Back to the Overall Strategy
Guiding Principles

43. Questions?