SAIC CIO Charles Beard:
Three Steps to Cybersecurity

Sadly, that also includes trusted parties operating on your own network or within your own accounts.

As a company that prides itself on tackling many of the nation's and the world's toughest technical challenges, cybersecurity is embedded in all that SAIC does. Between our cyber-aware employees and our specialized, in-house cybersecurity capabilities, we are well positioned to protect our company and customer information, and to assist other organizations in improving their cyber posture. Here's how we approach it for ourselves and our customers.

Step 1. Document and Develop Processes

Cybersecurity policies and procedures — prevention, detection and remediation — must be well developed and well understood. Disaster recovery, business continuity and general computer controls are woven into the framework of financial reporting for most companies. Broader data needs require a similar approach. Industry standards, such as ISO 27001, a best practices framework for managing security, is a good starting point. Key questions might include:

• Do you have a data taxonomy (data classification system) that's managed in an integrated security management program?

• Does that system cover personal data, privacy data, intellectual property and customer proprietary data?

• Are the control systems appropriate for this data properly enforced and monitored?

• Are your data access, network logs and security monitoring adequate to answer these questions?

Many senior executives struggle to answer the rudimentary questions posed here. It therefore falls to the IT department to state the challenge succinctly because, when confronted with a breach, investigatory or review bodies will certainly ask these questions. After conducting a gap analysis, determine the multiple threat areas and the corresponding risks.

Step 2. Determine the Threats You Face, Their Vectors, and Associated Risks

From the desktop to the data center, multiple threat vectors pose operational, financial, reputational or legal risks. Document your current cyber posture from the outside in. Start from the end-point devices and go back to the data repositories, whether in house or with contracted third parties.

• Are your assets free of embedded cyber agents?

• Do you encrypt data at rest, in transit or stored on mobile devices?

• Do you have asset tracking enabled?

• Are you using rights management technologies to protect digital media?

• Have you applied technology to those devices to protect them from infiltration?

• What is the status of your current credentialing and authenticating technology?

• Do you have effective security monitoring in place and understand your current threat profiles?

• How many attacks do you see each day?

• How many of these have resulted in exfiltration of information?

• How long did it take you to know you had a problem?

• Do you understand how it happened?

Document each risk and present these to your risk committee. Qualify and quantify potential exposure. Use company-approved processes to quantify risk and probability of occurrence. The combination of your gap analysis from your integrated security management system and risks identified will help inform your organization's cyber profile.

Step 3. Understand Your Company's Cyber Profile

The use of cyberspace to conduct business and provide government services holds the promise of great benefit but also the downside of increasingly sophisticated criminal activity. The challenge for business and government is balancing appropriate security with access. That means a company's security posture must align with the environment in which the organization and its trading partners operate. The following questions will help determine the level of maturity required and the level of maturity you possess.

• Is your regulatory, statutory or legal environment complex?

• Does the process analysis conducted at step one align with that environment?

• Do the technical solutions implemented provide reasonable assurance and due care for the information they are designed to protect?

Because of the business environment in which SAIC operates, we take cybersecurity very seriously. That's one of the reasons I consider it a privilege to be CIO here. We have people who provide managed security services for external customers and do a remarkable job. I shuttered my own security operations center and became a customer. We also have scientists and technologists who are thinking far in advance about what the future may hold — what I call "left of zero" — and we leverage their intellectual capacity to anticipate the criminal element's next move. We work hard every day to keep the virtual yellow crime tape away from our facilities. Our clients, employees and shareholders wouldn't have it any other way.