Timeless Reflections

Tom ImageWe cherish too, the Poppy red
That grows on fields where valor led,
It seems to signal to the skies
That blood of heroes never dies.

Moina Michael – poet

This Memorial Day we are re-posting a reflection we ran previously, for it emphasizes the timeless values that are inherent in this special day of remembering.  The solemn nature of the day is symbolized by flying the flag at half-staff until noon, to honor all those who have given their lives in defense of this nation. Please join in remembering their sacrifice.

In a small town, the kind of town where doors were never locked, seen through the eyes of the children, Memorial Day was an exciting experience. The usually predictable, measured pace of life abruptly changed. The quiet of the early morning hours quickly gave way to the stirring of a community coming to life. Far off came the sound of a single trombone, soon to be joined by all of its neighbors in the brass section of the high school band, tuning up before marching across town to the steady beat of the bass drum. [Read more…]

The 2015 Hidden Heroes Coalition Summit: Progress and Promise Produced Focused Initiatives and Overwhelming Support for Military and Veteran Caregivers

Hidden Heroes Logo

First Lady Michelle Obama pledges her support to America’s military and veteran caregivers at the Elizabeth Dole Foundation’s Hidden Heroes Coalition Summit, May 20, Ronald Reagan Building and International Trade Center, Washington, DC. Photo credit: Lynn Dykstra, Focused Images.

Download high res: https://www.dropbox.com/s/pcxxryckapl9ffq/IMG_0438%20First%20Lady%20Michelle%20Obama.jpg?dl=0

Washington, D.C. — The Elizabeth Dole Foundation hosted the 2015 Hidden Heroes Coalition Summit: Progress and Promise on May 20 at the Ronald Reagan Building and International Trade Center, in Washington, DC. The event featured remarks from First Lady Michelle Obama and Veterans Affairs Secretary Robert A. McDonald, along with a special video message from Tom Hanks announcing his leadership of a national awareness campaign to call attention to the service provided by loved ones caring for wounded, ill and injured service members and veterans. The voices were different, but they all touched on a resounding theme: our nation has made real progress on behalf of military and veteran caregivers, but more must be done to provide these hidden heroes with the support they need and deserve.

The summit marked one year since Senator Elizabeth Dole launched the National Coalition for Military Caregivers. At the time of the coalition’s launch, Senator Dole promised to report on the progress made on behalf of caregivers one year later. The program opened with an impressive series of coalitions partners describing the initiatives their organizations had launched or grown in the last 12 months to support military and veteran caregivers. Speakers included leaders from USAA, lead sponsor of the Summit, the U.S. Chamber of Commerce Foundation’s Hiring Our Heroes, Capital One, Easter Seals, The Home Depot Foundation, Operation Homefront, TAPS, and the Bristol-Myers Squibb Foundation.

In her own remarks, Senator Dole named dozens of private, public, nonprofit and faith organizations and leaders who have taken steps to directly address the gaps in support revealed by the Foundation’s 2014 RAND report on military and veteran caregivers. Senator Dole reflected on the significant shift in the nation’s caregiver support, stating, “We have seen allied groups working together; funders teaming with service providers; and ideas, resources, and best practices shared across the board without pride of ownership… The breadth of organizations doing their part is extraordinary, and when you bring them all together you see the powerful and effective relationships that have been formed to make it all possible.”

The most powerful moments of the event came from the caregivers themselves. Nine Dole Caregivers Fellows spoke from the stage, sharing their personal stories of struggle and resilience. More than 60 other fellows attended the event to represent the 5.5 million loved ones caring for America’s wounded warriors. American Airlines and Hilton Hotels, with additional support from Bank of America and Hope for the Warriors made it possible for these fellows to travel from across the nation to participate in this special event.

Acknowledging that the past year is just the start of what our nation must do to better support military and veteran caregivers, Senator Dole announced the Foundation’s Hidden Hero Impact Councils, launched earlier this year with the support of Booz Allen Hamilton. These seven councils, comprised of the leaders of the Foundation’s coalition, are focused on the most critical issues faced by caregivers: Community Support at Home; Education and Training, Employment and Workplace Support; Financial and Legal Planning; Interfaith Action and Ministry; and Respite Care. These councils, designed to bring increased strategic organization to the growing list of resources being established for caregivers, collaborated on a series of actions to take in the year ahead to support of military and veteran caregivers. (See appendix for list of council commitments)

One of the primary commitments made by the Impact Councils was a national awareness campaign to call attention to the contributions of military and veteran caregivers and the ways our nation could better offer them support. In a special recorded message, Tom Hanks pledged his support to military and veteran caregivers by leading this campaign. In his message, Hanks said, Senator Dole pointed out to me when we met, there are heroes, millions of them, who are every day caring for our wounded veterans. I join her in this defining national effort to make us all aware of these hidden heroes – to acknowledge the work they do. . . and assistance they are going to need.”

In the lead up to the Tom Hanks announcement, Dole Caregiver Fellow Brian Vines, a veteran who also cares for his veteran wife, spoke on the topic of national awareness. He remarked that the lack of American’s attention to the role of caregivers leaves those caregivers feeling isolated, hopeless and depressed. He added, “The public is aware that our veterans experience these issues, but most are unaware of the impact on caregivers. Public awareness of military and veteran caregivers is critical to empowering us to care for our loved ones.”

The Elizabeth Dole Foundation activities continued today with the Hidden Heroes: Focus on Faith, an interfaith and congressional leadership breakfast reception honoring military and veteran caregivers in the Kennedy Caucus Room of the Russell Senate Office Building. The event included Hidden Heroes Congressional Caucus co-chairs, Senators John McCain and Jack Reed, Leader Nancy Pelosi, Congressman Jeff Miller, and special guest Pastor Joel Osteen. The morning served as an example of the united, bipartisan support our military and veteran caregivers deserve, and an acknowledgement of the important role played by Congress and faith communities in ensuring them stronger support.

About The Elizabeth Dole Foundation

The mission of the Elizabeth Dole Foundation is to uplift American military and veteran caregivers by strengthening the services afforded to them through innovation, evidence-based research, and collaboration. Read more about the Foundation headquartered in Washington, DC at www.elizabethdolefoundation.org. For more information, to RSVP, and to request interviews, please contact Nicole Tieman, 202-414-0799, ntieman@susandavis.com.



The Elizabeth Dole Foundation’s Hidden Heroes Impact Councils will pursue the following actions in support of America’s military and veteran caregivers with the support and leadership of the named volunteer co-chairs:

Community Support at Home


  • Rachel O’Hern, Executive Director, Quality of Life, Inc.
  • Heather Prill Pritchard, Sr. Manager of National Partnerships and Atlanta Hometown Giving, The Home Depot Foundation


  • Launch a national awareness campaign chaired by Tom Hanks to grow America’s understanding of the challenges faced by caregivers and how they can contribute to their solutions
  • Produce and disseminate a “Caregiver Credo” developed by active caregivers for their peers to use for explaining the needs, strengths, and responsibilities of America’s caregivers to employers, community organizations, or others unfamiliar with military caregiving
  • Support the U.S. Department of Veterans Affairs in direct engagement with caregivers across the country and establish an advisory board to ensure the VA’s leadership hears feedback and ideas directly from those caring for wounded warriors.

Education and Training


  • Lynda Davis, Executive Vice President, Tragedy Assistance Program for Survivors (TAPS)
  • Marjorie Morrison, CEO and Founder, Psych Armor Institute


  • Develop a comprehensive, one-stop online clearinghouse for existing training resources and materials to help military and veteran caregivers better inform and empower themselves
  • Collaborate with experts across the Foundation’s Impact Councils to develop original online training modules across the most critical caregiving issues to educate both caregivers and those who provide caregiver services
  • Provide counsel and feedback to the U.S. Department of Veterans Affairs in coordinating education resources across the department based on the experiences of caregivers and service providers

Employment and Workplace Support


  • Eric Eversole, President, Hiring Our Heroes, U.S. Chamber of Commerce Foundation
  • Chris Giacchi, Manager of Military and Disability Recruiting, Capital One


  • Convene employment advocates, corporations and caregivers to develop a resource guide for caregivers focusing on how to market their caregiving skills and identify caregiver-friendly employment opportunities as they plan to move within, or re-enter the workforce
  • Assemble a comprehensive guide for how employers can adapt their workplace to be more caregiver-friendly
  • Continue expansion of employment hiring and networking events for military and veteran caregivers
  • Distribute best practices for hiring and employing caregivers to human resource professionals and hiring managers nationwide

Financial and Legal Issues


  • Kenneth Goldsmith, Senior Legislative Counsel and Director of State Legislation, American Bar Association
  • Justin Schmitt, Assistant Vice President for Corporate Responsibility, USAA


  • Continue to expand and actively market available pro-bono legal services for military and veteran caregivers who require assistance of legal counsel
  • Consolidate and update financial and legal best practices and resource guides for military and veteran caregivers
  • Expand pre-existing military and veteran programs, policies and services to include caregivers and their families; examples include one-on-one financial counseling, emergency funding/loans, and pro-bono legal services for a military spouse who is divorced or deceased

Interfaith Action and Ministry Council


  • Jack Lea, Executive Director, National Conference on Ministry to the Armed Forces
  • Dan Look, Chief Strategy Officer, National Lutheran Communities & Services


  • Creating and will launch a strategic communications initiative to reach leaders of every faith  across the entire nation, in communities large and small, building their awareness and understanding of the needs of military caregivers in their communities
  • Preparing a guide for faith leaders outlining the many, varied ways they and their members can be of support to military caregivers in their communities
  • Aggregating existing materials and creating new ones to ensure that faith leaders are knowledgeable about available resources for military caregivers
  • Developing strategies for communicating to military caregivers , ensuring  that they are aware of houses of faith as resources, regardless of their personal beliefs

Mental and Physical Health


  • Catharine Grimes, Director, Bristol-Myers Squibb Foundation
  • Michelle Kees, Assistant Professor and Faculty Member of Military Support Programs and Networks (M-SPAN), University of Michigan


  • Promote and increase visibility and access to effective, evidence-based mental and physical health programs and interventions for military caregivers
  • Pursue additional research, evaluation, and validation of existing programs and services to identify best practices and gaps in support
  • Encourage and support the expansion of effective pilot programs or new interventions in areas where there is an identified need for increased support
  • Promote and encourage military caregiver peer to peer support through new and existing programs
  • Work to increase cultural competency among mental and physical healthcare providers

Respite Care


  • Jed Johnson, Vice President of Strategic Initiatives, Easter Seals
  • Jill Kagan, Program Director, ARCH National Respite Network and Resource Center


  • Increase awareness of respite:
    • Target military and veteran caregivers through the creation of easy to understand, consumer-focused documents providing an overview of respite options, potential funding and other resources
    • Target the broad community, encouraging recognition of the importance of respite for military caregivers as essential services
    • Build meaningful bridges for military families to state Lifespan Respite programs
  • Create educational opportunities for respite providers to better understand military culture and address the unique needs of military caregivers
  • Work to ensure full funding for the Lifespan Respite program included in the bi-partisan Military and Veteran Caregiver Services Improvement Act
  • Expand the availability of evidence-based and other innovative respite care options

Washington Nationals Fan Wins Behind-the-Scenes Grounds Crew Experience

MLB Auction Winner Honors Family’s Connection to Lung Cancer through Nationals Opportunity Benefitting LUNGevity Foundation


WASHINGTON (May 19, 2015) — The Washington Nationals Grounds Crew will have a new team member for the Washington Nationals vs. New York Yankees game on Tuesday, May 19. The winner of a prize through Major League Baseball’s Winter Meetings Auction will enjoy the once-in-a-lifetime opportunity to be on the field as a member of the grounds crew, getting a close up look at the field and the team.

Auction item proceeds benefit LUNGevity Foundation, the nation’s leading lung cancer nonprofit, raising funds for critical lung cancer research. LUNGevity was chosen as the beneficiary of the auction in special tribute to LUNGevity spokesperson and Major League Baseball family member, former Baltimore Orioles’ public relations director, Monica Barlow, who was only 36 when she died of lung cancer.

Auction item winner Lawrence Fung and his wife, Sarah Yuen, are no strangers to lung cancer.  The disease runs in her family.  Sarah’s uncle, aunt, and paternal grandmother, all nonsmokers, have passed away as a result of lung cancer. Sarah’s father was diagnosed with stage IV lung cancer nearly four years ago and has been fighting it ever since.

“Monica Pence Barlow’s battle with lung cancer is certainly an inspiration to all who are affected by any deadly disease.  It’s also a very sad reminder that lung cancer affects both old and young, and no one is immune,” shared Lawrence Fung of Brooklyn, NY. “We hope that LUNGevity’s work to fund lung cancer research, to raise awareness, and to provide support continues in earnest. Combining my love for baseball and our family’s direct connection to the disease, donating to this cause is the very least we can do to help LUNGevity’s efforts to improve survival rates and ultimately find a cure for lung cancer.”

“We were pleased to offer this experience as a way to raise awareness and funds for LUNGevity, a cause in which our late colleague, Monica Barlow, was heavily involved,” said Jennifer Giglio, Vice President, Communications for the Nationals. “Monica and her family were enthusiastic supporters of LUNGevity and the work the organization does to help raise funds for the fight against lung cancer. Like the other 29 clubs around Major League Baseball, we are honored to provide experiences that will further that support in her name.”

“It has been amazing to see the once-in-a-lifetime experiences that the 30 teams came up with in support of LUNGevity and our late colleague, Monica Barlow,” Said Josh Rawitch, Senior Vice President, Communications for the Arizona Diamondbacks and organizer of the annual Major League Baseball Winter Meetings Auction. “She was an incredibly important part of the baseball community and the Baltimore – Washington Metropolitan community and we know that her legacy will live on in the memories created by these auction winners.”

“LUNGevity Foundation is honored to be the beneficiary of the MLB Winter Meetings Auction and to work with the Washington Nationals on this initiative,” said Andrea Ferris, president and chairman of LUNGevity, “We are grateful for their enthusiasm and support, and we hope to have future opportunities to work together.”

For media interested in photos from the Washington Nationals’ Grounds Crew Experience and/or interviews with LUNGevity spokespeople, please contact Aliza Bran at (202) 414-0798 or at abran@susandavis.com.

For more information on LUNGevity Foundation, please visit www.LUNGevity.org.


About Lung Cancer

  • 1 in 15 Americans will be diagnosed with lung cancer in their lifetime
  • More than 221,000 people in the U.S. will be diagnosed with lung cancer this year
  • About 60%-65% of all new lung cancer diagnoses are among people who have never smoked or are former smokers
  • Lung cancer takes more lives than the next three cancers (colorectal, breast, and prostate) combined
  • Only 17% of all people diagnosed with lung cancer will survive 5 years or more, BUT if it’s caught before it spreads, the chance for 5-year survival improves dramatically


About LUNGevity Foundation

LUNGevity Foundation is firmly committed to making an immediate impact on increasing quality of life and survivorship of people with lung cancer by accelerating research into early detection and more effective treatments, as well as by providing community, support, and education for all those affected by the disease. Our vision is a world where no one dies of lung cancer. For more information about LUNGevity Foundation, please visit www.LUNGevity.org.

Poor Communications Can Negate Effective Data Breach Response

cyber Tuesday option 3

O wad some Power the giftie gie us

To see oursels as ithers see us!

It wad frae monie a blunder free us…

Robert Burns – Scottish poet

One of the most critical, and apparently undervalued, aspects of response planning and preparation is communication. Credit reporting bureau Experian retained the Ponemon Institute to survey executives in the United States about how prepared they think their companies are to respond to a data breach.  One of the findings that stood out … 67 percent do not believe their organization understands what needs to be done following a material data breach to prevent the loss of customers’ and business partners’ trust and confidence.

How a company is perceived as managing its response to a breach will either raise or lower the cost to its reputation. Stakeholders’ expectations about what constitutes effective response are continuing to evolve. Their perception will be shaped by the actions the company takes and the way those actions are communicated.  It is imperative that a cyber incident response plan spell out actions that will be taken including the way information will be shared, and identify specific roles for the individuals who will have responsibility for managing and executing the communications effort. This includes both internal communications, beginning with the notification process (When do you inform the CEO? When do you notify the board of directors?) and external communications to various stakeholders.

Companies are wrestling with the question of when to communicate in the aftermath of a cyber attack. Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information. The time requirements vary from state to state. The White House and several members of Congress have proposed national data breach notification standards. The European Union currently is working toward imposing a standard that requires notification of parties affected by a data breach “without undue delay.”

The mandatory disclosure requirements are only part of the picture. From the moment a data breach is discovered, the clock starts ticking. Companies seldom will have a complete picture of the scale and scope of the attack or reliable attribution identifying the perpetrator(s) and their intentions.  Depending on the nature of the business, there will be both federal and state regulations to consider, as well as a host of sometimes competing imperatives. There will be voices suggesting the prudent course is to wait to disclose a breach. But waiting carries its own risk. The National Consumers League sponsored a study of data fraud victims, exploring their attitudes, experiences and perceptions. Carried out by Javelin Strategy & Research, the study found that breaches gravely affect consumer confidence. Significantly, nearly 90 percent of the victims felt that businesses should notify affected consumers immediately when a breach is discovered. As the adage goes, bad news doesn’t get better with age.

For every breach there is a range of potential damages, each of which will extract an economic cost.  In virtually every instance, the single biggest damage potential lies in the damage that can be done to the corporate reputation and brand. According to a recent report from Deloitte, “almost 90 percent of executives surveyed by Forbes Insights in 2014 on behalf of Deloitte say that reputation risk is their key business challenge.” Meeting that challenge during a data breach crisis requires aggressive outreach. A company that can learn from the mistakes of others will distinguish itself during a cyber crisis by seizing the opportunity to aggressively engage with its customer base and other stakeholders, and thereby solidify its relationships and reputation.


By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security expertsskilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

May 19, 2015

UPDATE: First Lady Michelle Obama Joins the Elizabeth Dole Foundation at the 2015 Hidden Heroes Coalition Summit: Progress and Promise

EDF Logo

After helping launch the National Coalition one year ago, the First Lady will join the Foundation, along with leaders from the Department of Veterans Affairs, Congress, corporations, nonprofits, faith communities, and military and veteran caregivers to reflect on successes and look to the future

Washington, D.C., May 15, 2015   — First Lady Michelle Obama, Veterans Affairs Secretary Robert A. McDonald, Tom Hanks, and Pastor Joel Osteen will all play a part in a special week devoted to military and veteran caregivers, hosted by the Elizabeth Dole Foundation, May 19 – 21, in Washington, DC.

The Elizabeth Dole Foundation will welcome more than 70 of its military and veteran caregiver Fellows to the nation’s capital over these three days, along with senior leaders from across the public, private, nonprofit, labor and faith communities, to celebrate progress made over the past year on behalf of those caring for wounded, ill and injured warriors, and to announce upcoming initiatives to continue raising awareness and support for these Hidden Heroes.

First Lady Michelle Obama and Sen. Elizabeth Dole will be joined by National Coalition members and caregivers for the Hidden Heroes Coalition Summit: Progress and Promise on Wednesday, May 20, 2 p.m., at the Ronald Reagan Building and International Trade Center, Washington, DC. The program will feature remarks from Secretary Robert McDonald, Senator Elizabeth Dole, and a special recorded announcement from Tom Hanks. The event will also feature remarks by Harriet Dominique, Senior Vice President, Corporate Responsibility and Community Affairs, USAA, lead sponsor of the Summit. The following Coalition partners will also participate in the program: U.S. Chamber of Commerce Foundation’s Hiring Our Heroes, Capitol One, Easter Seals, The Home Depot Foundation, Operation Homefront, TAPS, and the Bristol-Myers Squibb Foundation.

The following day, Thursday, May 21, Senator Dole will co-host Hidden Heroes: Focus on Faith, an interfaith and congressional leadership breakfast reception honoring military and veteran caregivers in the Russell Senate Office Building, Kennedy Caucus Room, 8:30 a.m. – 10:30 a.m. The event will include Hidden Heroes Congressional Caucus co-chairs, Senators John McCain and Jack Reed, Leader Nancy Pelosi and Congressman Jeff Miller, and special guest Pastor Joel Osteen. The breakfast will serve as an example of the united, bipartisan support for our military and veteran caregivers, and an acknowledgement of the important role played by Congress and faith communities in ensuring them stronger support. Following the event, Elizabeth Dole Fellows will meet with scores of Congressional Members to discuss the specific actions Congress can take to support military caregivers.

The Elizabeth Dole Foundation elevated the issue of military and veteran caregiving to a national level last April with the release of a Foundation commissioned study by the RAND Corporation that found military caregivers are struggling to shoulder the enormous responsibility they take on as they care for wounded service members. In response to these findings, the Foundation, alongside First Lady Michelle Obama and Dr. Jill Biden, launched a powerful coalition to address the gaps in resources identified in the study. Hidden Heroes: the National Coalition for Military Caregivers draws support from the public, private, nonprofit, labor and faith communities, which were all represented at the White House Joining Forces event and continue to be involved today.

May 20 program participants available for interview include:

  • Senator Elizabeth Dole
  • Harriet Dominique, Senior Vice President, Corporate Responsibility and Community Affairs, USAA
  • National Coalition members and program participants
  • Military and veteran caregivers from nearly every state across the country

Both events are open press. Members of the media who wish to cover Wednesdays event must RSVP to ntieman@susandavis.com by Monday, May 18, 2015 at 5 PM ET. Press who do not have a White House hard pass must include their social security number, date of birth, country of citizenship, current city/state of residence, and gender.

About The Elizabeth Dole Foundation

The mission of the Elizabeth Dole Foundation is to uplift American military and veteran caregivers by strengthening the services afforded to them through innovation, evidence-based research, and collaboration. Read more about the Foundation headquartered in Washington, DC at www.elizabethdolefoundation.org.


Contact: Nicole Tieman




Healthcare Cybersecurity Checkup — Fail

cyber Tuesday option 3The growing cyber siege on corporate America is forcing executive leadership to spend greater amounts of time, money and effort in defending against cyber attacks and data breaches. While no sector of the economy is immune from these attacks, the healthcare industry has proven to be a particularly appealing target. The Ponemon Institute just released the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. The study suggests that data breaches could be costing the industry $6 billion annually. More than 90 percent of healthcare organizations represented in the study had a data breach, and 40 percent had more than five data breaches over the past two years.

There’s no question that the healthcare sector has long been in the crosshairs of hackers and has served as a prime target for cybercriminals. Experian’s 2014 Data Breach Industry Forecast proved particularly prescient in saying, “The healthcare industry, by far, will be the most susceptible to publicly disclosed and widely scrutinized data breaches …” Before the year was out both Anthem and Premera helped validate that forecast.  In terms of both scale and scope, these incidents were a shot across the bow and served to further raise awareness of a significant risk that can impact so many people. With successful penetration, cyber criminals can gain access to a data laden gold mine for identity theft — personal, medical and financial information —sold for a premium to black market buyers.  Included in the categories of information held by health insurers, are full names, addresses, employment information and Social Security numbers.

According to PhishLabs, health and medical records can be sold on the black market for many times more than credit card information — fetching from $25 to $250 per record.  The Ponemon study suggests that the average cost of a data breach for healthcare organizations is more than $2.1 million. This surreptitiously-obtained information is used to perpetrate medical and healthcare fraud and identity theft, costs that are ultimately passed onto consumers and add to ever rising medical premiums.  Compounding the situation is that children are often the victims and demand the highest premium for identity thieves since their credit is rarely monitored – and the consequence of its loss may not be realized for many years.

In addition to data breaches seeking personally identifiable information (PII) or protected health information (PHI) from health insurance companies, hospitals and healthcare providers need to be especially prepared for additional cyber risks, including threats to hospital IT networks and medical devices that can severely impact patient safety and operations.

No healthcare organization, regardless of size, is immune from data breach. That fact heightens concern over another finding of the Ponemon study— many organizations do not have the budget and resources to protect both electronic and paper-based patient information. In fact, 56 percent of healthcare organizations don’t believe their incident response process has adequate funding and resources. Until such time as healthcare organizations devote sufficient resources to better security and incident response practices, the industry will continue to be exploited to the detriment of consumers.


By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security expertsskilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

May 12, 2015

A Farewell to Ours

OpportunityAn essential part of business, particularly in Washington, D.C., is enlisting the talent of interns throughout the course of the year. Their enthusiasm, talents and ideas inspire our staff and motivate us to see projects and challenges from new perspectives.

Our wonderful team of interns joined us when snow covered the ground and gray clouds filled the sky. They jumped into their various assignments, and provided support across our multi-faceted client base. They compiled news clips, wrote stories, engaged with the media, and worked events- all with determination and poise.

Now, as flowers bloom and the spring semester winds down, our current class of interns is looking forward to summer breaks full of family, friends, and new opportunities. Although it’s always sad to say goodbye, we appreciate the time these young men and women dedicated to our firm and hope that as they go out into the world, they can take lessons learned and skills developed here and apply them to make life a little brighter for everyone they encounter.

Thank you Alex, Carly, Sam and Sarah for your hard work over the past four months. It has been a pleasure to help you on your path to success, and we are grateful for your ideas, hard work, and spirit. Good luck to you all!


By Nicole Tieman, SDI

May 9, 2015

The Challenge of Quantifying Cyber Risk

cyber Tuesday option 3As cyber threats continue to increase in both complexity and scope, businesses around the world acknowledge that cybersecurity is now one of their top business threats. As a result, the purchase of cybersecurity services and tools is at an all time high. Despite record cybersecurity expenditures, given the continually evolving cyber threat landscape, one of the key challenges facing corporations today is determining how cyber risk fits into comprehensive enterprise risk management. After a company performs a risk assessment and determines it is in fact at risk of cyber incidents, how do risk managers determine the business impact of such incidents? How do risk managers prioritize activities to address the cyber threat versus the threat of other risks such as a hurricane, pandemic or a bombing attack? How can you compare risk if you are not able to measure it?

With rapid technological innovation, the increase of devices and services provided on line or connected through the Internet and the inherent interdependencies of the Internet itself, cyber threats are unlike more traditional physical risks in important ways — including the speed at which they evolve and propagate as well as the almost unlimited attack space enabling multiple methods of attack. Adversaries also employ a “layered insecurity approach” based on multiple tiered objectives. For example, they may employ a phishing attack to gain access to a system or network as a first objective, extract files and data as a second objective and then use the information to deny services or disrupt industrial control systems. Many entities only realize months or years after the initial intrusion that they have been infected

So, when a company states publicly that it is has suffered 15 cyber attacks in the last week, what does that mean in terms of consequences? What does a cyber incident equate to in terms of consequences to the company’s finances, employees, reputation and brand, customers, market availability and other institutional concerns?

Modeling Cyber Risk

Traditionally, as a proxy for comprehensive entity risk quantification, many risk managers use insurance risk models to identify and quantify potential consequences. However, the cyber risk insurance market, although maturing, remains in its infancy, and there is a growing need for standardized models to enable companies to plan, train and resource against cyber risk.

For cyber resilience assurance to be effective, a concerted effort among ecosystem participants is required to develop and validate a shared, standardized cyber threat quantification framework that incorporates diverse but overlapping approaches to modeling cyber risk.

The World Economic Forum’s (WEF) “Partnering for Cyber Resilience” initiative, of which I am a member, has turned to this challenge and members have framed the cyber value-at-risk (VAR) concept as a proposed methodology for cyber consequence quantification. The WEF released the initiative’s latest report, “Towards the Quantification of Cyber Threats,” at the annual meeting in Davos last January.

As a first step, the report encourages organizations to clearly identify and standardize information inputs that will in turn enable risk managers to implement a tailored and repeatable methodology so risk can be identified and assessed across the enterprise. Initiative members agreed that at the heart of risk identification and assessment, organizations must be able to quantify cyber risk in order to make sound investment and risk acceptance, mitigation, transfer and management decisions.

A VAR model seeks to determine the aggregate level of risk faced by an entity resulting from cyber threats over a given duration of time and at a particular level of exposure. The report suggests that in considering a cyber value-at-risk methodology, entities should look to the value of their assets, the profile of would-be attackers and their existing cybersecurity posture as key components.  The result of such a methodology would enable an organization to more fully integrate the concept of cyber risk into its comprehensive enterprise risk management framework and to prioritize resources accordingly.

The key to true cyber resilience is the resilience of the ecosystem. As the number of organizations employing such models and methodologies increases, it is my hope that we will begin to better understand the comparative risk of various sectors, interdependencies and potential cascading effects and will be able as a community to more effectively manage cybersecurity risks.


By Kirstjen Nielsen, SDI Cyber Risk Practice. Kirstjen is the Chair of the World Economic Forum’s Global Agenda Council on Risk and Resilience and is a member of the WEF’s Partnering for Cyber Resilience Initiative.

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security expertsskilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

May 5, 2015

Cyber Deterrence Is a Strategic Imperative

In this post, the advice offered looks at deterrence from a U.S. perspective, but applies in full measure to many other nations who find their critical infrastructure and companies under attack. This article first appeared in the Wall Street Journal’s CIO Journal, April 28, 2015.

We have reached a tipping point. The costs to our national and economic security are high and continue to grow higher. Whether from nation states intent on stealing military, political or economic secrets, attacking our critical infrastructures, pilfering corporate intellectual property and R&D or from criminals engaging in theft, fraud and other cybercrimes, the initiative continues to remain with the attacker. It’s time to engage in cyber deterrence through a strategy to dissuade, deter, and compel would-be attackers. Deterrence is the act of making someone decide not to do something; of preventing a particular behavior from occurring.

National Cybersecurity and Communications Integration Center

Evan Vucci/Associated Press
A view of the National Cybersecurity and Communications Integration Center in Arlington, Va.

Earlier this month, the Administration took definitive action by promulgating an Executive Order imposing sanctions against those who seek to undermine or hamper U.S. security through cyberattacks. And just last week, the Secretary of Defense announced the Pentagon’s updated Cyber Strategy including stronger language on offensive cyber operations. It also for the first time acknowledges the need to develop a comprehensive cyber deterrence strategy which Congress initially called for in the National Defense Authorization Act in 2014. This is a good beginning and must be a critical part of a deterrence strategy for which we must be prepared to wield all instruments of statecraft including political, diplomatic, economic, law enforcement and military capabilities. Let’s be clear: this is not about deterring or temporarily defeating technologies; it is about deterring actors beyond traditional military domains, both State and non-State alike as well as their proxies by carefully crafting our policies and calibrating our tools accordingly.

To do this, we must fashion a strategy that significantly raises the stakes for threat actors. We must make the cost so high and decrease their payoff so significantly that the advantages of cyber attack activity will be greatly reduced. We must deny the adversary their objective. Penalties as envisioned under a sanctions regime will certainly help; but the plain reality is that sanctions, especially if unilateral, will not deter those seeking to reap the benefits of robbing U.S. companies. Resilience must be a key part of our cyber deterrence, allowing those U.S. companies on the front lines the ability to apply threat information and conduct joint efforts, like several we have recently seen against botnets, with a cross section of private and government participants.

Of course, many instantly connect nuclear and cyber deterrence. But let’s recall that the nuclear club is relatively limited and requires a high level of scientific expertise and financial cost to maintain and deploy. For cyber, the bar to entry is relatively low; capabilities can be acquired, built and launched covertly. Moreover, cyber power includes non-state actors, difficult attribution, and a wider field of players.Equally important, we see the private sector and individual companies entities forced to defend against state actors. The private sector has adopted practices that could be part of a deterrent strategy. From botnet takedowns to joint activities with Europol, companies have begun the process of “taking the gloves off” and incrementally challenging cyber threat actors. There is a role to be played in cyber deterrence by nearly every public and private entity in the U.S. – a much broader domain than the nuclear one.

We must also contend with the inevitable gray lines between Computer Network Attack (CNA) and Computer Network Exploitation (CNE). In simplest terms, this is the issue of destructive behavior – whether computer network operations actually seek to destroy as opposed to obtaining information through nondestructive means. Our strategy must recognize that offensive cyber actions must be weighed carefully against our need to maintain an exploitative capability in networks. Our adversaries collect intelligence to provide a clear economic advantage to their commercial companies, such as stealing intellectual property. Our strategy must consider these intelligence threats as such activity results in an unfair playing field in the global marketplace for U.S. companies.

Following traditional deterrence policy, we need to signal to our adversaries through covert or other offensive actions that cyber actions will result in a response.  We must signal our resolve and credibility.  Of course, there will be concerns of a cyber escalation and of potential physical damage. That is why our responses need to be incisive, surgical and clear. This is not a game of “taking down” the adversary; it is demonstrating our capability and intention to dissuade them from further damage to our national security and economy. While we need unifying principles, the specific strategies must be tailored to key state and non-state actors; the strategy to deter Russia will not work for China or Iran or North Korea and certainly not for  non-state actors such as criminal enterprises.

After many years of fledgling and unproductive efforts, we now have an opportunity to develop a broad cyber strategy including both sanctions and deterrence. We have an opportunity to bring relief to the private sector and bring credibility to our cyber policy.  Yet success will ultimately depend on our commitment to act and translate the nouns into verbs. As Nathan Bailey put it: “Threats without power are like powder without the ball.”


By Frank J. Cilluffo, SDI Cyber Risk Practice, and Rhea D. Siers, Scholar-in-Residence at CCHS and Special Counsel at Zeichner, Ellman & Krause.

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security expertsskilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

April, 28 2015

Exploring the Cybersphere

cyber Tuesday option 3

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite.  Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.  

The big item for this coming week will be the deliverables from the RSA Conference in San Francisco — tens of thousands of people will flock to the Moscone Center (28,000 attended last year) April 20-24 to attend the largest cybersecurity conference. If you can’t be there, Information Security Media Group offers live streaming video feed of program security leaders.  And for those who simply want the highlights in 140 characters or less, follow @RSAConference. The theme this year is to “challenge today’s security thinking.” In line with that theme, do you know all your company’s device entry points for hackers? Few, if any do. This Forbes article may interest you.  A father-son team has found a way to secure thousands of devices at once.  Visa, Amazon, Best Buy, the U.S. Department of Defense and Nasdaq are users.

Surfacing last week, The Norse Corporation and AEI released a report “The Growing Cyber Threat from Iran: The Initial Report of Project Pistachio Harvest” detailing Iran’s cyber activities.  It concludes that they have invested heavily in their cyber attack capabilities and have revved up both the frequency and sophistication of their attacks. Clearly a concerning development executives – especially in the financial services and energy sectors — need to keep a close eye on.  I first testified before Congress on this topic in 2012, and again in 2013.

Congress will consider two cybersecurity bills this week, “Protecting Cyber Networks Act” and the “National Cybersecurity Protection Advancement Act of 2015.” Both deal with the sticky area of data sharing and liability protection for sharing information on cybersecurity threats. In our cyber blog, a colleague, Kevin Carroll of Quinn Emanuel, and I outlined pros and cons CEOs are considering as this type of cyber legislation begins to take on more actionable focus. The Hill presented another angle — a coalition of security experts urging Congress to reject the legislation outright.

Bringing the conversation down to the personal, Rhett Hernandez, SDI cyber risk management practice and former commander, Army Cyber Command, in remarks last week to board leaders, U.S. and global cyber experts, C-suite executives, and cyber security law enforcement leaders, leaned in to pinpoint the biggest threat to cybersecurity in any company – its own people. Need to change the culture; people pose an unacceptable level of threat to networks said Hernandez. That’s echoed in Help Net Security’s article on indifference in the workplace. Daniel Velez, senior manager for insider threat operations at Raytheon Cyber Products says in DARKReading that it’s user behavior, not data restrictions that provides a stronger approach to breach threats and reputation damage.

Choosing the right hats to manage a crisis when it arrives is examined in CSO — companies may be better served financially by outsourcing cyber crisis management and should have partners in place way before the crisis. Finally, our infrastructure security community just got a new leader … North American Electric Reliability Corporation just tapped Marcus Sachs to lead NERC’s efforts to protect the electric sector. Sachs will step into the roles of senior vice president and chief security officer. While the term “critical infrastructure” is thrown around frequently these days, the electric sector is unequivocally at or near the top of the list.  If the grid goes down, so does everything else.  It’s good to see NERC is bringing in a pro.


Frank Cilluffo, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security expertsskilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

April 21, 2015