Cyber Intelligence-Driven Risk. Richard O. Moore, III
me in patience and helped develop my transformational concepts, is Steve Attias. Steve had been a CISO at New York Life since the declaration of that industry title, and continues to advise companies on cybersecurity programs in his retirement. Finally, to my mentor-friend, Marc Sokol. Marc was the Chief Security Officer at Guardian Life when I was at New York Life but had a good decade of experience in leading an insurance company's cybersecurity programs. Marc was instrumental in my growth, executive experiences, and still assists today where I need additional help or support.
To the contributing authors, my colleagues, and friends, you all have been a part of my journey in building these programs, listened to my ideas and concepts over social gatherings, working hours, and late-night meetups. Without your direct feedback, opinions, and execution, I would have never been able to see these programs work firsthand. We have built these programs in two Fortune 100 companies to great success, and many of you are still working on those programs or have modified them to support your current environments.
There were many throughout my career who have been a part of building out these concepts into reality and there were people who gave me the support and freedom to build these programs. I would like to directly name and thank the following individuals who had a direct impact in helping to build and refine many of my concepts into programs over the last two decades. From my time at KPMG I wish to thank Neil Bryden, Barbara Cousins, Greig Arnold, and Prasad Shenoy; it was the time when the CI-DR™ concepts began to originate. I wish to thank those individuals at the Royal Bank of Scotland, Americas, who instituted and implemented the first of the CI-DR program's capabilities: Dr. Stephen Johnson (one of the co-authors of this book), Todd Hammond, David Griffeth, Chuck Thomas, Steven Savard, Robert Fitz, James McCoy, Chris Piacitelli, Frank Susi, Jack Atoyan, and David Najac. I wish to thank those responsible for implementing CI-DR version two of capabilities and functions at New York Life: Dr. Stephen Johnson, Robert Sasson, Karen Riha, Eric Grossman, Willard Dawson, and Lee Ramos. Finally, I wish the thank the following individuals at Alvarez and Marsal for creating the documentation behind these programs and putting to paper standard operating procedures, guides for building, and guides for assessing the maturity of these programs: Derek Olson (one of the co-authors of this book), Adele Merritt, Tom Stamulis, Brady Willis, Joe Nemec, Terence Goggins, Dominic Richmond, and Cassidy Lynch.
To my students and those asking me to be their mentors, thank you for listening to my rantings and ravings about our profession. You challenge me daily to be operational, effective, and creative about transformational solutions to meet the demands of the profession and industries you all strive to protect.
To my CyberSix advisors, specifically Sean Cross, who not only has looked out for the best interest of the company but has become a great friend, business partner, mentor, and coach. Your friendship and advice are what all startup organizations need to succeed from running the Founders' Roundtable, bringing startup CEOs to learn from each other, to the exhaustive time and effort you put into all those who need your services. To Steve Dufour, thank you for your strategic guidance and help in solidifying my concepts into business plans and paving the way for future services for my company. I look forward to continuing partnering, collaborating, and working together.
To my dad, whom we lost during the pandemic in 2020, due to underlying conditions. His passing placed a long pause on completing this book.
Finally, to my wife, Jennifer, who encouraged me to pursue this cybersecurity profession against many objections, before this profession became so popular. Those years of having to live above a garage raising our children while attending my undergraduate degree and continued service in the U.S. Marine Corps Reserve, through working full-time and completing my graduate degree, to becoming a professor and then moving the family for unknown adventures in this cyberworld; it could not be done without your continued support and love.
Introduction
It is even better to act quickly and err than to hesitate until the time of action is past.
– Carl von Clausewitz
THIS BOOK is designed for business leaders who are looking to unwrap the “cyber black box” and understand how cyber intelligence can improve their business decisions. For the cybersecurity professional who is trying to find an entry point to provide value to executives, and for the cybersecurity teams looking to raise their level of sophistication, this book will address the fundamental issues facing businesses and individuals today. First, organizations are still failing to respond to cyber threats due to inconsistent decisions and poor cyber hygiene. Second, both organizations and cybersecurity professionals are struggling with compliance frameworks, international legislation, and local legislative and other privacy requirements while still trying to make revenue through technology advantages. All of the frameworks, compliance, and privacy items are focused on the technology and not on how the organization should be looking at operational risk. By the end of this book, we will explain to the reader why the CI-DR™ is the center of gravity for decisions that business leaders should be taking advantage of. Business leaders in every organization are consistently being asked how the organization is dealing with cybersecurity issues, whether it can respond to cyber losses, and what the shareholders need to know should a cybersecurity breach or cyber loss leading to financial consequences occur. Most of the cybersecurity issues that current business models outline are reactive in nature and are usually actioned without much analysis or debate, leaving biased opinions and hasty approaches that ultimately detract from logical decisions.
Operational risk losses or consequences are defined in the IEC/ISO 310101 documentation and is where we begin to leverage the language needed to bring the CI-DR “knowledge” to the risk management professionals. To have a seat at the table as cyber professionals we need to be able to speak the same taxonomy as our business risk managers. Throughout the book we provide some real-world examples of how a CI-DR program assisted organizations where these capabilities were implemented and matured to assist in the business decision-making process. As you read the examples, our intent is to have you think about the role you hold at your company, or your next role, and the types of information you would want to assist you in making decisions. To be successful, it is key to have the data and knowledge, coupled with curiosity and the desire to be of value that will ultimately lead to being granted access to the internal decision-making for your organization.
With every chapter we provide the business need for a CI-DR program with a real-world example of the cybersecurity issues that many organizations have faced in the past. As you may recall, the year 2012 was very troubling for the financial services, banking, and cybersecurity practitioners. Starting in the month of September and continuing into the new year, a sympathetic nation-state of malicious actors known as QCF (Cyber Fighters of Izz ad-Din al Qassam, also known as Qassam Cyber Fighters) began to methodically stop banks from financially transacting with customers, through an attack known as a Distributed Denial of Service (DDoS). This is essentially a technical mechanism that consumes and overwhelms systems and networks, rendering them unavailable or useless for the purposes they were designed for. Many of these banking institutions leveraged their membership in the Financial Services Information Sharing and Analysis Center (FS-ISAC)2 to gain an understanding of how the attack started and to provide a secure forum for discussing best strategies to defend the banks against this adversary, helping to set the foundations for many cyber programs and processes in use today.
The ISAC provided the necessary connections among cybersecurity professionals, many of whom came from the military intelligence profession, with a forum and location to share threat intelligence as well as the ability to discuss new capabilities and mitigation process to reduce the attacks against their financial institutions without retribution for competitive interests. The Security and Exchange Commission later issued a statement that cybersecurity and threat intelligence cannot be a competitive advantage.3 The larger member institutions had begun building cyber intelligence programs and sharing information on attacks through the membership's cyber intelligence leaders. As executives continued to hear through headlines and peers throughout the banking community, their concerns were how much money they would need to spend to protect their organizations and whether they had the proper