Ariel Evans is an expert, entrepreneur and commercial developer of cyber security in Israel, USA.
She recently took charge of an Israeli network risk company that provides network risk quantification for businesses, network insurance companies and M & A teams.
She also consulted more than 30 Israeli companies
For Israelis who connect online startups with funding and business development opportunities.
When an entrepreneur was in AmericaS.
She raised more than $0. 2 billion from private equity and venture capital companies and successfully pulled out twice.
Evans is the chief information security officer of a large telecom company in the United States.
She is recognized as a leader in Wall Street risk and compliance at McGraw-
Hill, XL Capital, JPMorgan Chase, Merrill Lynch and Lockheed Martin.
Her insight into regulation, governance and business
Connected technology enables her to provide expert guidance to the Department of Homeland Security, the payment card industry and other governing bodies responsible for reducing risks and understanding the impact of complex technologies on risks. Christopher P.
Skroupa: What is the main growth area of network security?
Ariel Evans: There are three major areas of growth over the next decade: cyber risk, cyber insurance, and IoT security.
Each of these three areas is green and the next level of network security.
The board and executives of the organization must protect the assets of the enterprise.
7 out of 10 target board members were removed and CEO fired
They know nothing about the risks of the network to the business.
Cyber risk must be understood in dollars and cents to communicate in the language that the board and executives understand.
Only in this way can senior managers develop networking strategies that enable them to properly protect their assets.
Network Insurance is in its infancy, so organizations need to know how much network insurance they need.
Target, which has $100 million in online insurance, lost more than $0. 45 billion today, with an estimated total of $1 billion by the end of 2017.
This is not surprising at all. it’s way off.
Network Insurance is a tool to transfer risks and needs to be related to network risks.
More than 1 billion IoT devices are currently in use, and more than 50 billion are expected by 2020.
Unprecedented large Internet of Things
A few months ago, the central DDoS attack caused Twitter, Amazon, Tumblr, Reddit, spotify, and Netflix to attack Internet infrastructure companies that did not reset their firmware default passwords.
Unfortunately, the password is hardcoded into the firmware.
The tool to disable the firmware does not exist, and most importantly, the web interface does not even know that these credentials exist.
This is basically unfixable and still a cyber threat.
The only way to protect them is to unplug them from the Internet.
History repeats itself again.
The name of the game is security in obscurity.
Malicious individuals and countries are once again taking advantage of the inability to incorporate cyber security controls into technology.
The bottom line is that organizations have to be in front of the network, not behind.
We must be proactive-not bolt it on.
Our thinking must be strategic, not passive.
Network Risk allows thought to lead, and Network Insurance provides an additional layer of protection, which may lead to network security if the Internet of Things security problem is not solved now.
Skroupa: how do companies evaluate the effectiveness of their network security tool stack?
What does this have to do with network risk?
Evans: most organizations have layered security tools such as firewalls, intrusion protection systems (IPS)
Prevention of data loss (DLP)
Management of security incidents and incidents (SIEM).
These organizations may only focus on controlling maturity and then assess network risks.
Control maturity is the term IT usually uses to measure its execution power, and IT originates from CobIT (
Control Objectives for information and related technologies), ITIL (
Information Technology Infrastructure Library)and CMMI (
Integration of Capability Maturity Modelmodels.
For the effectiveness of these layered tools, control maturity does not provide visibility. This bottom-
The safe up method only describes the implementation status of the control.
It stays at the system level and does not link business processes to data assets and systems, so it lacks the ability to show the lack of control effect or the network risk of the discovered vulnerability. Bottom-
The Up method has proven itself to be very inaccurate because they measure control at a technical level and only describe the maturity of the control, not its effectiveness.
As an example, an-
The malware solution can be 90% mature as it is installed on an endpoint of 90%.
But in terms of effectiveness, the policy that this control is implementing may not be related to risk --
Its effectiveness may be 0%.
Network risk is measured by assessing control maturity, making it possible for organizations to suffer network losses. A top-
The Down approach links the business impact of assets and processes to network risk and demonstrates the effectiveness of network security tools. A top-
The Down approach is the only way to measure asset risk, properly prioritize remediation and equate remediation with the amount of cyber insurance required.
How does Network Insurance develop?
Evans: Internet insurance is one of the fastest growing areas in the insurance industry.
Network insurance companies began to understand the need to distinguish themselves from the price policy based on the actual risks of the insured.
Today is the neighbor method.
You sold A $0. 5 billion policy to bank A for $5 million, which you think is valid for bank B.
The problem is that Bank A's network security situation may be very different from Bank B's.
Can you insure for 21 years?
Old New Yorker with diffusion weighted imaging with the same premium as 50 years-
Old driver from Montana, driving record spotless? Hardly.
Insurance has always been based on risk, so why is the network out of sync here?
Cyber insurance companies have been trying to take a simpler, gentler approach with zero as a result.
Measuring network risk requires understanding the impact of cyber attacks on business assets.
Priority must be given to assets.
A system that, if broken, makes money, or will cost you a fine, is very different from a system that has minimal impact on the business.
Visibility into exposure in dollars and cents gives Cyber insurers a competitive edge, enabling them to differentiate policies for excellent cyber drivers and gain a competitive advantage.
Risk metrics allow for risk accumulation scenario analysis of data filtering and cloud compromises in the portfolio of network insurance companies.
Finally, risk metrics now show that an organization actually needs a lot of cyber insurance.
Skroupa: How will the internet of things affect network security in the next few years?
Evans: the internet of things means connectivity.
The Internet of Things is a physical device, a vehicle (
Also known as "connected devices" and "smart devices ")
Buildings and other items
It is embedded in electronic, software, sensors, actuators, and network connections that enable these objects to collect and exchange data.
The Internet of Things revolves around increased machines --to-
Machine Communication;
It is built on cloud computing and data networks.
Acquisition sensor;
Mobile, virtual and instant connections;
From street lights to the harbor, they say, it will make everything in our lives "smart ".
"This smart framework has a range of risks associated with technologies that already have high risks.
Combine these together and your risk will multiply.
The risks of cloud technology and mobile technology are well-known.
Premise technology.
As more and more companies make sensors and devices, they continue to be stingy with safety to get competitive prices.
This increases the risk.
With the outbreak of the Internet of Things, security risks also broke out, followed by a series of high-priced data leakage incidents.
Regulation is always lagging behind technology and there will be no difference in the internet of things.
The problem with this is that the obscure cost of security may end up reaching the boiling point and you and I will be left to hold the bag.