An Integrated Approach to Managing Cyber Risk

1. The Vigilant Enterprise
An Integrated Approach to Managing Cyber Risk
Ready for what’s next.

2. Table of Contents
The Multifaceted Cyber Threat ............................................1
The Rising Cybersecurity Threat ..........................................2
Managing Cyber Risk .........................................................3
Enterprise Risk Management ........................................3
Cyber Asset Management ..............................................5
Cyber Human Capital Planning ......................................5
Resiliency and Recovery Planning .................................6
Cyber Program Oversight and Compliance ....................7
Cyber Program Planning and
Performance Management ............................................9
Building a Dynamic Cyber Defense ...................................10
Conclusion .......................................................................10
About the Authors ............................................................12
About Booz Allen ..............................................................13
Principal Offices ................................................ Back Cover

3. The Vigilant Enterprise:
An Integrated Approach to Managing Cyber Risk
The Multifaceted Cyber Threat throughout the enterprise. Do you have the
resources—and the capability—to address
Many organizations approach cybersecurity as primarily these application vulnerabilities?
a technology challenge—calling on complex solutions
• A computer virus at your corporate office forces you
to counter increasingly sophisticated threats. While
to shut down systems for an indefinite period. Is
technology is important, robust cybersecurity cannot
your resiliency plan tested and well-rehearsed, or
be implemented without effective management of
will this be your first real attempt to implement it?
the totality of the cyber milieu—coordinating a broad
spectrum of activities involving cyber policies, people, • A disgruntled employee with routine access to
and operations, in addition to technology. Consider your company’s data releases highly proprietary
these scenarios: information on the Internet. How will you anticipate
and mitigate Insider Threats in the future?
• One of your top executives downloaded an
attachment containing malware, inadvertently As these scenarios illustrate, cybersecurity
enabling a criminal to steal enormous amounts encompasses a host of interdependent activities—
of sensitive data. Your security staff contends such as monitoring cyber assets and supply chains,
that the executive should have recognized the developing processes for threat assessments (including
potentially malicious e-mail; however, your executive monitoring for network intrusions), identifying anomalous
responds, “When did I become responsible for cyber events that might identify malicious insider activity,
e-mail security?” responding quickly to attacks and minimizing impacts,
establishing remediation activities, and exercising
• A sophisticated malware to spy on and disrupt a
resiliency plans—all of which require proactive enterprise-
software application is detected running on many of
level strategy and capabilities that greatly exceed
your desktops, laptops, servers, and mobile devices.
deployment of cyber technologies. Cyber management
How quickly can you identify all the devices infected
is the set of tasks or functions for overseeing and
with this malware, mitigate damage, and trace the
coordinating these interdependent requirements.
malware’s source to prevent a recurrence?
The vigilant enterprise manages wide-ranging cyber
• A counterfeit microcircuit containing vulnerabilities capabilities in an integrated, holistic fashion to ensure
is discovered on hardware deployed throughout they work together in the most efficient and effective
your organization. Can you identify the source of manner to create a defense that is as dynamic and
counterfeit electronics in your supply chain to prevent adaptive as the environment in which it operates.
the acceptance of more compromised products?
• When using new application scanning
tools, you discover common vulnerabilities
in legacy and modernized applications deployed
1

4. The Rising Cybersecurity Threat cyber espionage attack that went undetected by the
majority of its victims. Operation Shady RAT is just one
The growing destructiveness of cyber threats is matched of many recently discovered attacks that include the
by their increasing sophistication. In 2011, the security theft of RSA SecureID security tokens and the much-
firm McAfee reported that computers within more than publicized cyber attack on Google, a multi-year effort
70 global corporations and government organizations that targeted Chinese human rights activists, and more
in 14 countries were hacked as part of a 5 year effort than 30 companies. Increasingly, many such attacks
dubbed Operation Shady RAT (Remote Access Tool).1 are sponsored by well-funded organizations motivated
The criminal enterprise that launched Operation Shady by political, religious, or financial goals. Attacks often
RAT—believed to be a state actor—gained access employ multifaceted technical and social engineering
to government secrets, valuable intellectual property, techniques and are nearly impossible to detect
and competitive business information as part of a with traditional security tools. Major banks, energy
companies, defense contractors, and government
agencies have been victims of Advanced Persistent
Exhibit 1 Cyber Mission Integration Threats (APTs) and opportunists who steal identities,
Cybersecurity is a complex, multidisciplinary challenge that financial data, intellectual capital, government secrets,
integrates and unites five major pillars of robust security:
and other valuable information over a period of months
Management, Policy, Operations, People, and Technology.
Cyber Management supports each of the other functions as and even years before discovery.
it anticipates threats and reduces risk.
The rising APT is not the only cause for alarm. The
increasing interdependence among organizations
POLICY and individuals using cyber networks creates new
vulnerabilities and opportunities for attack, as does
the expanding use of social media, mobile computing,
and other emerging technologies. At the same
time, dependence on interconnected networks and
MANAGEMENT PEOPLE
communications significantly increases the risk of harm
CYBER
MISSION that could result from insider activities. The actions of
INTEGRATION a single malicious insider can cause extensive financial
FRAMEWORK
damage and irreparable harm to the organization’s
business operations and financial bottom line. For
example, Verizon’s “2011 Data Breach Investigation’s
Report” found that regular employees and end-users—
TECHNOLOGY OPERATIONS
Source: Booz Allen Hamilton
1
“Revealed: Operation Shady RAT,” Dmitri Alperovitch, Vice President,
Threat Research, McAfee.
2

5. not the highly trusted ones—are responsible for the Exhibit 2 The Six Functions of Cyber Management
majority of data compromises.2 As the WikiLeaks
Cyber Management consists of six mutually reinforcing functions
disclosures revealed, a disgruntled employee with
to ensure that cybersecurity resources, policies, and processes
routine access to networks or systems can cause are deployed in the most cost-effective manner to reduce risk
enormous harm. The cost—from downtime and loss and support business-critical operations and mission goals.
of sensitive data to reputational and brand damage—
can be enormous. The importance of cybersecurity as RISE
RISK MANA
GE
E RP ME
an enabler of success has never been higher and the E NT NT
challenge has never been more difficult.
Cyber Program Cyber Human
Capital
Managing Cyber Risk Planning &
Performance Planning
Management
Simply building stronger firewalls and other perimeter
defenses is insufficient. Cybersecurity’s multi- Cyber
dimensional challenge requires a comprehensive Management
management approach to enable an enterprise to
oversee and coordinate all elements of cybersecurity,
including policy, operations, technology, and people Resiliency & Cyber Asset
Recovery Planning Management
(see Exhibit 1). Cyber management encompasses
a broad range of interlinked organizational activities
C
E
B C
N
Y
ER
to ensure that the cybersecurity program addresses L IA
PR
OG MP
RAM CO
the common forms of cyber attacks and the growing OVE R S I G H T A ND
threat of sophisticated APTs, as well mitigates the
risk of harm that could result from insider activity. For Source: Booz Allen Hamilton
example, Verizon reported that 96 percent of security
breaches could have been avoided through simple or
intermediate controls.3 Responsible cyber management 1. Enterprise Risk Management provides an
protects against both external and internal attacks by organizational framework for decision making that
employing dynamic defenses that prevent, deter, detect, considers risk in every decision based on the mission,
assess and mitigate these threats. Comprehensive risk tolerance, and sound policy. Cyber-related risks
management of cybersecurity entails the integrated cut across multiple functions, including acquisition,
management of six primary functions as shown Information Technology (IT) operations, IT development,
in Exhibit 2:
2
“2011 Data Breach Investigations Report,” p. 22.
3
Ibid, p.3.
3

6. and compliance. The vigilant enterprise addresses Within Enterprise Risk Management, Information Risk
risk within these different functions from a unified Management is an established practice to identify,
perspective of supporting enterprise goals and assess, and prioritize the risks to information and the
objectives, so the functions work together rather systems where the information resides. Similarly, Cyber
than as independent stovepipes. Strong enterprise Supply Chain Risk Management is an emerging practice
risk management provides an overarching enterprise that manages the risk to information and communication
perspective that coordinates interdependent cyber technology (ICT) products and services caused by the
activities and ensures that they align with business global and distributed nature of how these products and
and mission goals. Within the private sector, a chief services are assembled and delivered. ICT products and
risk officer often oversees these related activities to services are vulnerable to intentional and unintentional
measure and manage the cyber risks to business-critical insertion of vulnerabilities throughout the supply chain;
operations. Additionally, NIST Special Publication 800-39 and they are also potentially vulnerable to compromise
recently identified a “Risk Executive” function that by foreign adversaries or competitors who have failed at
fulfills a similar objective: measure and manage the traditional data mining techniques or cyber attacks, as
information security risks to mission-critical operations.4 well as to the insertion of counterfeit microelectronics.
Recent Securities and Exchange Commission (SEC) Effective supply chain risk management combines
Disclosure Guidance for publicly held companies requires multiple disciplines and functions for monitoring
disclosure of cyber incidents and cybersecurity risks that supply chains and managing risk that ICT components
present a material risk to the enterprise, similar to the with malware or vulnerabilities of any type, including
disclosure of operational and financial risks. counterfeits, will enter the enterprise.
4
“Managing Information Risk: Organization, Mission, and Information System View,”
March 2011, Section 2.3.2. The Risk Executive function is not assigned a specific
organizational role by NIST.
4

7. 2. Cyber Asset Management inventories, monitors, assess talent and skill levels against current and future
and maintains the organization’s cyber assets over needs to ensure that professional cybersecurity staff
their lifecycles, including hardware, software, data, has the right training and competencies to counter
and facilities. For example, hardware and software are the threat as it evolves over time. A vigilant enterprise
tracked to ensure that their security is current and creates a pipeline to recruit new hires and provides
complies with relevant standards. Organizations monitor continuing education and training to existing staff. These
information to ensure it remains valid and uncorrupted. efforts to hire, train, and retain top cyber talent require
Strong security of physical facilities is essential. inclusion in budget and planning activities.
Strong cyber supply chain risk management bolsters Cyber human capital planning has a different dimension
cyber asset management, because the enterprise with regard to the insider threat. Training cyber staff
can continue to monitor cyber components as they on insider threat awareness and key events that can
move through the supply chain and into the cyber signal malicious insider activity is essential to the
infrastructure. Mature organizations know what their defense of any organization. Human capital policies
assets are at any given point in time and understand and procedures that address everything from access
which cyber assets are most critical to operations to permissions for staff to how Human Resources handles
ensure their security protections are commensurate a negative work-related activity contribute to a higher
with their value. Cyber asset management reduces level of proprietary data protection. For example, the
the risk of compromised networks and systems from Secret Service’s 2005 “Insider Threat Study” found that
internal and external threats. It continuously validates a negative work-related event triggered most insiders’
that assets are legitimate, while quickly removing actions in infrastructure sectors; most insiders had
unapproved assets. Equally important, it enables acted out in a concerning manner in the workplace; the
effective response to attacks because they can quickly majority of insiders planned their activities in advance;
identify, isolate, and deactivate compromised assets. and remote access was used to carry out the majority
Cyber asset management also provides the basis for of the attacks. To minimize the risk of accidental
any performance measures related to asset protection, breaches and internal threats, all employees should
such as measures showing the physical and logical be educated about the nature of the cyber threat, how
location of all assets, the number of unapproved assets, individuals may be targeted as a penetration path, the
the level of compliance with configuration management motives and behaviors of insiders, their methods and
guidelines, and vulnerabilities and patches statistics. techniques, and how they, as users, can effectively
fight against that threat through disciplined behavior
3. Cyber Human Capital Planning supports the and reporting processes. Many organizations have a
“People” component within the Cyber Mission Integration formalized approach to ensure that employees receive
Framework (in Exhibit 1) by ensuring a comprehensive cyber education and training to understand basic
approach to hire, train, and retain a high performing cyber hygiene for desktops and devices, and adhere
cyber workforce. That strategy needs to be reinforced to policies for downloading attachments, using thumb
through a consistent, effective method to regularly
5

8. Path to Stronger Cyber Management • A well-known enterprise developed a multi-prong
solution to manage the risk posed by externally
Booz Allen is engaged with government and
facing Web sites with vulnerabilities in the code.
commercial clients across the globe, helping
The enterprise used automated tools to review
them improve cybersecurity by implementing
the code, deployed trained experts to verify and
stronger cyber management. For example, with
resolve identified vulnerabilities, tracked the
Booz Allen’s support:
progress in resolving the vulnerabilities, and
• A federal agency developed and implemented an updated software security policies and
enterprise-wide strategy for managing cyber risk processes. This initiative enhanced the
based on a NIST Risk Management Framework organization’s risk posture through the
and Consensus Audit Guidelines. The effort strengthened use of performance measures
automated traditional Security Accreditation and and cyber human capital management
Authorization processes to provide continuous techniques, and by identifying and
monitoring of assets in operations. As a result, implementing improvement actions.
the agency is meeting both its business and
• A large enterprise implemented a management
compliance objectives with a continuous
system to increase efficiencies in analyzing and
process that monitors assets in near real-time.
communicating incident data across a large
This initiative improved compliance and the
stakeholder community. The new management
organization’s understanding of cyber assets.
system helped improve enterprise resiliency by
The initiative also leveraged performance
eliminating leadership bottlenecks in the daily
measures to provide actionable data to
business decision process and accelerating
improve decision making and, ultimately,
the maturation of standardized analytic and
reduce overall enterprise risks.
management processes across the enterprise.
drives, reporting suspicious e-mails, and other routine 4. Resiliency and Recovery Planning complements
activities. At the same time, insider threats such as a Enterprise Risk Management by implementing the cyber
rogue employee with access to corporate networks and infrastructure and resources necessary to continue
databases can circumvent the most sophisticated cyber operations following an undesirable man-made or natural
defenses to deliberately steal information, plant malware, event. This takes a proactive approach to identifying and
or commit some other crime. Cyber management also remediating potential cyber challenges and addressing
should include auditing capabilities with triggers that baseline vulnerabilities. Cyber resiliency ensures
identify anomalies in behavior, abuse of privileges, or business continuity for private-sector companies
other indications of potential insider activities. and mission assurance for government agencies.
6

9. This requires that organizations understand how their 5. Cyber Program Oversight and Compliance serves
business and mission requirements are connected to two main functions: ensuring that the enterprise
the cyber domain. For example, which cyber assets are can demonstrate compliance with the applicable
essential for operations? And what critical business cybersecurity laws, regulations, standards, and
functions or mission capabilities are supported by the guidelines; and helping reduce risks through
cyber assets? This information enables the enterprise strengthening cybersecurity. A compliance program
to identify the assets and processes it depends on for should go beyond “checking boxes” to implementing
business continuity, after which it can determine what risk-based security controls. Pursuing the business and
is required for their continued functioning. In this way, compliance objectives in unison significantly increases
resiliency and recovery planning aligns the business the cost-effectiveness of oversight and compliance.
continuity plans with its disaster recovery plans
Compliance mandates and guidelines usually require a
identifying the impact of loss due to a cyber attack.
minimum set of practices protecting their assets, data,
Resiliency and recovery planning help test the and critical infrastructure. Among those originating from
performance and capabilities of cyber assets, including external bodies are the Sarbanes-Oxley (SOX) Act, SEC
people, uncovering weaknesses in cyber operations Disclosure Guidance for cybersecurity incidents and
and identifying areas for improvement. Resiliency and risks. Health Insurance Portability and Accountability Act
recovery planning should be coordinated with cyber (HIPAA), Federal Information Security Management Act
program planning and performance management, (FISMA), NIST standards and guidelines, International
which also identifies critical systems and prioritizes Organization for Standardization (ISO)/International
cybersecurity spending to protect those systems. Plans Electrotechnical Commission (IEC) 27000 family
should be tested and exercised, which will help uncover of standards, and the Organization for Economic
unforeseen problems and ensure that the plans work Cooperation and Development (OECD) Guidelines for
as anticipated during an undesirable event. the security of Information Systems and Networks.
7

10. Organizations may also create their own cybersecurity
Managing Cyber Resources and Risk: policies and standards, derived from those listed
What Keeps You Up at Night? above, but tailored to the needs of their enterprise.
Consequently, they should develop processes to
• Do you know what all of your information assess and report compliance of their cyber programs.
assets are? Are they protected according Compliance drivers usually require organizations to
to your business and mission needs? demonstrate that they have a comprehensive program
• Are your business and agency partners for identifying and managing cyber risks using a
protecting your critical information? comprehensive risk-based approach, proactive planning,
cyber asset management, resiliency and recovery
• Do your suppliers deliver capability, and performance measures.
trustworthy products?
Effective program oversight and compliance will
• How confident are you that your identify and align all internal and external compliance
organization can continue to operate drivers with applicable internal cybersecurity program
while under cyber-attack? activities. Aligning compliance drivers and cyber
• What processes are in place to ensure that activities minimizes the impact of compliance
terminated employees don’t retaliate by activities; for example, the enterprise can streamline
exfiltrating data or planting malware? the collection of information for compliance reporting
by using information already collected by the cyber
• Do your employees know how to identify security program through existing dashboards and
and handle suspicious e-mails? performance measures, asset inventories, training
• Upon discovering vulnerabilities in a statistics, and lessons learned from resiliency and
legacy application, can your enterprise recovery exercises. Ultimately, compliance should help
mitigate similar vulnerabilities across organizations strengthen cybersecurity—which, after
your enterprise? all, is the purpose of compliance mandates—and it will
enable the most efficient processes for measuring and
• Do your leaders have actionable information demonstrating compliance across the entire spectrum
to make security resource decisions? of legal, regulatory, and contractual requirements.
8

11. 6. Cyber Program Planning and Performance
Management ensures that the enterprise allocates
cyber resources in the most efficient manner, consistent
with the enterprise strategy and goals. This function
involves planning for the activities of the cyber program
and measuring the program’s effectiveness at protecting
assets. Cyber program planning also ensures the
acquisition of resources needed to continuously
address evolving threats and emerging requirements,
including, for example allocating sufficient resource
for hiring and training cybersecurity professionals.
Performance measures provide meaningful, actionable
data on the status of cyber security to decision makers
and cyber professionals throughout the organization,
helping them identify program gaps, define resources
required to close the gaps, and prioritize resources to
focus on activities that provide the greatest efficiency,
effectiveness, and ability to demonstrate long-term
return on investment.
The cyber program planning and performance
management function facilitates integration of a The cyber program planning and performance
broad range of cybersecurity functions across the management function is closely aligned with the
enterprise. Among its responsibilities, this management enterprise’s cybersecurity strategy. As a key element
function identifies cyber initiatives for funding, develops of the “policy” component within the Cyber Mission
an acquisition plan, tracks implementation, and Integration Framework (in Exhibit 1), strategy explores
measures performance over the enterprise lifecycle. various ways and means to accomplish policy goals;
A proactive cyber program planning and performance and it identifies the right configuration of capabilities
management function enables proactive, measurement- (people, process, and technology) to achieve the
based cyber security capable of anticipating and mission most efficiently. In this way, strategy helps
quickly responding to the evolving threat and guide the program planning and investment decisions
regulatory compliance environment. to carry out cyber policy and goals.
9

12. Building a Dynamic Cyber Defense monitors the threat landscape, understands its own
vulnerabilities, manages the risks associated with
When all six functional areas of cyber management malicious insiders, responds rapidly to cyber incidents
are effectively integrated and working together, cyber and attacks, minimizes quickly the impact of breaches
management supports a layered, dynamic defense in and attacks, and continuously remediates vulnerabilities,
which cyber principles and practices are embedded and strengthens security across all organizational
throughout the enterprise. With a dynamic defense dimensions of cybersecurity, namely policy, people,
in place, the enterprise proactively analyzes and technology, operations, and management.
Conclusion
No enterprise can protect itself completely from cyber As information systems become more integral to
attack. Rather, the goal is to reduce the risk of attack business and government operations and our nation’s
and damage by managing all aspects of cybersecurity critical infrastructure, cybersecurity becomes a
within an integrated dynamic defense framework. “strategic enabler” rather than a tactical afterthought.
Comprehensive cyber management ensures that the When managed in a holistic way, cybersecurity paves the
organization pays attention to the big picture, rather than way for innovative technologies such as virtualization
end solutions, aligning its resources with the enterprise and cloud computing; and it secures the environment
strategy and goals. As a result, the vigilant enterprise for game-changing solutions in areas such as e-health,
understands and manages emerging cyber security smart grids, and financial systems, and e-government.
risks, employees understand and follow the security Cyber management serves as the foundation for robust,
policies, policies are structured to prevent insiders dynamic cybersecurity that supports enterprise strategic
from releasing sensitive information, cyber assets are objectives as an integrated business process.
identified and appropriately protected, and resources are
prioritized towards high impact activities.
10

13. 11

14. About the Authors
George Schu is a Senior Vice President at Nadya Bartol is a Senior Associate at Booz Allen Hamilton
Booz Allen Hamilton and supports the Technology and manages a team of more than 35 cybersecurity
Capability efforts in the firm’s federal and commercial consultants. She has over 17 years of information
markets. His primary functional areas include technology and information assurance experience.
cybersecurity, Continuity of Operations (COOP), IT She has led numerous strategic groundbreaking
resilience, cross domain solutions, risk management, cybersecurity engagements for US federal government
identity management, and anti-money laundering/ clients addressing cybersecurity measurement,
counterterrorist financing. He is active in government continuous monitoring, and cyber supply chain
and industry associations. He holds a master’s degree risk management. Bartol has co-authored several
from Georgetown University, and is a graduate of the NIST special publications and interagency reports
Defense Language Institute and the Industrial College and serves as co-chair of DoD/DHS/NIST SwA
of the Armed Forces. Measurement Working Group. She also serves as
US delegate to an ISO committee dedicated to the
development of cybersecurity standards.
12

15. About Booz Allen Hamilton
Booz Allen Hamilton has been at the forefront of Booz Allen is headquartered in McLean, Virginia,
strategy and technology consulting for nearly a century. employs more than 25,000 people, and had revenue of
Today, Booz Allen is a leading provider of management $5.59 billion for the 12 months ended March 31, 2011.
and technology consulting services to the US Fortune has named Booz Allen one of its “100 Best
government in defense, intelligence, and civil markets, Companies to Work For” for seven consecutive years.
and to major corporations, institutions, and not-for- Working Mother has ranked the firm among its “100 Best
profit organizations. In the commercial sector, the firm Companies for Working Mothers” annually since 1999.
focuses on leveraging its existing expertise for clients More information is available at www.boozallen.com.
in the financial services, healthcare, and energy (NYSE: BAH)
markets, and to international clients in the Middle
East. Booz Allen offers clients deep functional
knowledge spanning strategy and organization, Contacts
engineering and operations, technology, and analytics— George Schu
which it combines with specialized expertise in Senior Vice President
clients’ mission and domain areas to help solve schu_george@bah.com
their toughest problems. 703-377-5001
The firm’s management consulting heritage is the Nadya Bartol
basis for its unique collaborative culture and operating Senior Associate
model, enabling Booz Allen to anticipate needs and bartol_nadya@bah.com
opportunities, rapidly deploy talent and resources, and 301-444-4114
deliver enduring results. By combining a consultant’s
problem-solving orientation with deep technical
knowledge and strong execution, Booz Allen helps
clients achieve success in their most critical missions—
as evidenced by the firm’s many client relationships that
span decades. Booz Allen helps shape thinking and
prepare for future developments in areas of national
importance, including cybersecurity, homeland security,
healthcare, and information technology.
13

16. Principal Offices
Huntsville, Alabama Indianapolis, Indiana Philadelphia, Pennsylvania
Sierra Vista, Arizona Leavenworth, Kansas Charleston, South Carolina
Los Angeles, California Aberdeen, Maryland Houston, Texas
San Diego, California Annapolis Junction, Maryland San Antonio, Texas
San Francisco, California Hanover, Maryland Abu Dhabi, United Arab Emirates
Colorado Springs, Colorado Lexington Park, Maryland Alexandria, Virginia
Denver, Colorado Linthicum, Maryland Arlington, Virginia
District of Columbia Rockville, Maryland Chantilly, Virginia
Orlando, Florida Troy, Michigan Charlottesville, Virginia
Pensacola, Florida Kansas City, Missouri Falls Church, Virginia
Sarasota, Florida Omaha, Nebraska Herndon, Virginia
Tampa, Florida Red Bank, New Jersey McLean, Virginia
Atlanta, Georgia New York, New York Norfolk, Virginia
Honolulu, Hawaii Rome, New York Stafford, Virginia
O’Fallon, Illinois Dayton, Ohio Seattle, Washington
The most complete, recent list of offices and their addresses and telephone numbers can be found on
www.boozallen.com.
©2012 Booz Allen Hamilton Inc.