Part of the Pell Center's Cyber Leadership project, the Rhode Island Corporate Cybersecurity Initiative supports senior business leaders and decision makers who can affect change and make Rhode Island's corporate community more secure and resilient to cyber incidents.
By bringing together senior leaders from the defense industry, financial services, technology, health care, energy and telecommunication, the initiative:
- Addresses the most critical cybersecurity challenges facing the private sector
- Encourages cybersecurity awareness and training
- Promotes best practices, business continuity and resiliency planning
- Develops approaches to share cyber threat information and assure legal and regulatory compliance
The Rhode Island Corporate Cybersecurity Initiative takes advantage of New England's outstanding academic, industrial and research resources to develop the next generation of cyber-strategic leaders, who understand the technical, ethical, legal and compliance issues regarding cybersecurity and take responsibility for the development of effective security policies, procedure and protocols to protect their organizations and the nation's private infrastructure.
For more information, or to register for an upcoming event, contact Francesca Spidalieri, Pell Center fellow for cyber leadership.
Tuesday, March 10
8:30-9 a.m. - Networking breakfast
9-10:30 a.m. - Panel discussion
While often considered a primarily technology-focused challenge, cybersecurity remains profoundly human-centric. Human beings, as IT professionals, design, build, implement, maintain and govern the systems that form the "central nervous system" of the modern organization. Human beings, as employees of the organization, remain the most frequent avenue of cyber attack and constitute a major ongoing vulnerability. Human beings, as nefarious actors, conduct cyber attacks for a variety of (very human) motives. And human beings, as cybersecurity professionals, must identify, protect, detect, respond and recover from cyber attacks.
Because of this, proper management of the workforce is essential to enterprise resilience in the face of persistent cyber threats. This requires a holistic approach, from business executives to front-line employees, and cybersecurity professionals to IT operations managers, to the hiring, deployment and management of the workforce. In turn, workforce management must be aligned to prioritized enterprise action. The seminar will provide a forum to discuss highlights from the Cybersecurity Workforce Handbook, recently published by the Council on CyberSecurity, and will cover several key topics:
- Aligning the workforce to prioritized action (critical security controls)
- Assigning essential tasks for the entire workforce
- Deploying mission-critical cybersecurity roles
- Building a security-oriented culture
- Providing effective governance of cybersecurity activities
Panelists will include Francesca Spidalieri, senior fellow for cyber leadership at the Pell Center; Maurice Uenuma, senior vice president at the Center for Internet Security; and Geoff Hancock, cybersecurity senior executive. This will be a unique opportunity to work with the challenges of cybersecurity workforce management and the specific concerns when looking for the right talents to fit an enterprise's cybersecurity needs. Companies are encouraged to bring a representative from their HR office to better address their questions and share their experiences in this area.
Tuesday, April 7
8:30-9 a.m. - Networking breakfast
9-10:30 a.m. - Panel discussion
Working with third party vendors is almost inevitable in today's dynamic and ever changing business environment. Many companies use service providers that offer specialized services and provide scalability. But by doing so, new risks are also introduced that may adversely impact the organization, if not properly managed, and result in damages to the brand, loss of investor and customer confidence, and financial or reputational harm. All of this can have lasting effects and possibly result in companies' failure to meet business objectives or worse.
As leaders, it is our responsibility to work with the business to understand and minimize the risks that these suppliers and service providers introduce along with their services. As recent headlines have shown, cyber attackers are increasingly targeting third party suppliers as a way to get access to their clients' information and possibly internal systems. Yet, most companies fail to recognize those security risks or see the need to work proactively with the business, partners and suppliers to reduce them.
This roundtable discussion will explore specific risks to the business when contemplating the use of third party vendors and how to manage them to enable business objectives. Micheal Andreozzi, IS compliance manager at National Grid, and Scott Baron, director of governance risk and compliance at National Grid, will examine some important steps to take for identification of risks of potentially insecure third party vendors, and options to mitigate risks as part of the decision making process.
The speakers discussed how to establish and maintain effective information sharing partnerships to enhance an organization's situational awareness, acquire the right threat feed from trusted sources and manage an organization's exposure to intrusions and breaches through comprehensive cybersecurity programs. Panelists included Ellen Giblin, counsel at Locke Lord and Pell Center adjunct fellow; Don Ulsch, PwC managing director and cybercrime expert; and Ken Mortensen, PwC senior managing director and privacy expert.
The first workshop for 2015 featured Andy Bonillo, director of cybersecurity and public safety for Verizon, who offered a unique opportunity for participants to hear about the latest cyber threats, vulnerabilities and trends, and what to expect in 2015. He shared with the group of senior executives gathered for the seminar an overview of major cyber-attack patterns and findings from the 2014 Verizon Data Breach Investigation Report - one of the most anticipated annual computer security reports in the field.
During this follow-up meeting to the September workshop, key stakeholders around the state provided advice and guidance on the changes needed to strengthen the current Rhode Island Data Security and Breach Notification Law. Sen. Lou DiPalma chaired the meeting with representatives of the financial sector, the R.I. Attorney General's Office, the R.I. Deptartment of Business Regulation, and the R.I. State Police.
Frank Motta, executive vice president of CAI Managed IT, discussed cybersecurity issues and business continuity solutions for small and medium-size businesses (SMBs), and in particular, the need for businesses to develop a holistic, company-wide methodology to minimizing their exposure to hackers and cyber criminals. He provided a list of best practices and low or no-cost solutions for SMBs to protect their systems and digital assets, from prevention and mitigation strategies to disaster recovery planning and cyber risk management.
Steve Katz, the world’s first chief information officer and renowned cybersecurity expert, discussed the need for corporate leaders to be fully informed about how cyber-risk issues are being addressed within their companies, and outlined the skills and knowledge that chief information security officer should have, especially the ability to communicate cybersecurity issues effectively and to build relationships with the C-suite.
The event brought together internationally renowned experts and cybersecurity practitioners to discuss numerous key cyber-operation concepts, including the legal implications of active defense, cyber-countermeasures vis-a-vis the Tallinn Manual, and how "privatized cyber counter strikes" may influence the future of cyber deterrence.
The panel included:
- Joe Provost, CEO of SYNCSTATE, a cyber threat security and intelligence analysis company
- Robert Clark, distinguished professor of law at the U.S. Naval Academy's Center for Cyber Security Studies
- Col. James Bitzes, staff judge advocate for the U.S. Cyber Command
- Michael Schmitt, director of the Stockton Center for the Study of International Law at the U.S. Naval War College and main author of the "Tallinn Manual on the International Law Applicable to Cyber Warfare"
- Karl Wadensten, president of VIBCO, a prominent R.I. manufacturer
The five distinguished panelists explored the timely and controversial issues of commercial hacking and the lack of clearly-defined laws - whether domestic or international - to deter, punish, and/or pursue foreign hackers.
The invitation-only roundtable discussion brought together key players in the state to review current gaps in Rhode Island's Data Security and Breach Notification Law, compare the R.I. law with those of other states, and propose methods to strengthen the existing law. The distinguished group of policy makers, state representatives, business leaders and law enforcement officials present at the workshop agreed that an update to the current R.I. notification of breach law is both necessary and urgent in order to raise the cost of data breaches, to better protect customers' personal information, and to provide companies with incentive to implement better security practices. A list of their recommendations to strengthen the existing law will be published in an upcoming policy memo.
The first R.I. Corporate Cybersecurity Tabletop Exercise was a cross-industry, discussion-based exercise that provided private sector leaders the opportunity to raise their awareness and develop an understanding of the most pressing cyber threats to their organizations' networks and sensitive information.
More than 30 industry leaders participated in the exercise demonstrating their commitment to cybersecurity and desire to build upon existing informal relationships to improve the overall security posture of the RI private sector.
Melissa Hathaway, president of Hathaway Global Strategies and a senior adviser at Harvard University's Belfer Center for Science and International Affairs, gave a public lecture titled "Strategic Advantage: Why You Should Care About Cybersecurity."
The After-Action Report Workshop discussed lessons learned from the Corporate Cybersecurity Tabletop Exercise and further steps companies may take to better protect their organizations from cyber threats and vulnerabilities. The workshop built upon the exercise by outlining major strengths and areas of improvement, discussing how organizations currently handle situations similar to the ones simulated in the exercise, and identifying any related best practices.
The comprehensive After Action Report includes the findings and observations of this exercise and offers actionable recommendations to help organizations prioritize their cybersecurity improvement plans and cultivate information-sharing and cooperation activities.
The seminar introduced participants to the current tactics, techniques, and procedures that malicious actors are deploying against network infrastructure worldwide. Ken Bell, senior cyber intelligence analyst at Raytheon and adjunct fellow at the Pell Center, examined the emerging trends and threats related to cybersecurity for 2014 and discussed proactive measures to help organizations, regardless of their size/industry, better protect their proprietary information and assets from those emerging threats.
The workshop focused on the often missing link in cybersecurity - plain English communication between IT people and executives, whose responsibility is to protect company assets and reputation. Subject matter experts April Lorenzen and Nat Kopcyk from Dissect Cyber led the workshop and various group exercises and activities on some of the most pressing cybersecurity topics. Participants came away with a better idea of how to infuse a stronger culture of security, proof and transparency into the protection of their organizations' sensitive information and digital assets.
The panel discussion explored how Rhode Island organizations charged with providing the state and nation’s financial, energy, health care and other critical systems could use the National Cybersecurity Framework to better protect their information and physical assets from cyber attacks. The panel included Adam Sedgewick, National Institute of Standards and Technology senior information technology policy adviser; Michael Leking, the Department of Homeland Security’s cybersecurity adviser for the Northeast region; and Jamia McDonald, executive director of the state’s Emergency Management Agency. The three distinguished panelists discussed the specifics of the framework and other national and state initiatives to support its implementation. In addition, Sen. Sheldon Whitehouse (D-RI) and Rep. James Langevin (D-RI) delivered keynote speeches and acknowledged the commitment of R.I. leaders to strengthen the state’s cybersecurity posture and of institutions, like the Pell Center, that provide an excellent forum for regional efforts in this field.