Larry Clinton
CURRENT EMPLOYMENT
President/CEO Internet Security Alliance (2002-Present)
Leads a diverse board of directors consisting of 20 senior cyber practitioners (typically CISO/CIO) representing nearly every critical industry sector toward ISA’s mission. ISA’s Mission is to integrate advanced technology with economics and public policy to help build a sustainable system of cybersecurity. ISA pursues 3 major goals: 1) to promote thought leadership on cybersecurity; 2) to advocate for public policy that will help build a sustainably secure cyber system; and 3) to promote the use of effective standards and practices for cybersecurity. Sectors represented on the ISA board include agriculture, audit, banking, communications, defense, education, financial services, healthcare, insurance, manufacturing, media, retail, software development, technology, and utilities.
PARTNERSHIP ACTIVITIES AND ASSOCIATIONS (Private Sector)
IT SECTOR COORDINATING COUNCIL
ISA is a charter member of the IT SCC. Mr. Clinton has been an active participant since the SCC’s inception including 10 years on the Executive Committee and 7 terms as an Officer — 2 Terms as Chair (term limited) 2 terms as Vice Chair (term limited) 3 terms as Treasurer.
COMMUNICATIONS SECTOR COORDINATING COUNCIL
ISA has also been a member of the Comms SCC since its inception and continues active involvement although not to the extent of the IT SCC.
CROSS SECTOR COUNCIL (formally known as the Partnership for Critical Infrastructure Security)
Served on the council as Chair and Vice chair of the IT SCC for 4 years.
CARNIGIE MELLON UNIVERSITY
Mr. Clinton holds a certification from Carnegie Mellon in Cybersecurity Risk Management.
NATIONAL ASSOCIATION OF CORPORATE DIRECTORS (NACD)
Mr. Clinton is an NACD Fellow, and regularly teaches Master Classes in cybersecurity for NACD. ISA and NACD have co-produced 5 conferences (both US and international) specifically on cybersecurity for corporate boards. Since 2014 ISA has co-produced with NACD 3 editions of the Cyber Risk Handbook for Directors which is one of NACD’s most popular publications as well as numerous other educational activities some of which are outlined below.
WORLD ECONOMIC FORUM (WEF) /NACD COLLABORATION
Operating under a 2020 MOU, ISA NACD and WEF have created a formal collaboration focused on enhancing cybersecurity at senior management and board levels of industry.
The organizations have created a set of consensus global principles for boards of directors to follow in pursuing their responsibilities for effective cyber risk oversight. A 2022 MIT study found that use of these principles would significantly enhance orgianzations cybersecurity, including reducing ncidents by as much as 80% without substantially increasing costs. ISA and the Forum will also collaborate on a program to encourage orginzations to sign a pledge to adopt the principles.
CENTER FOR AUDIT QUALITY (CAQ)
Mr. Clinton served on CAQ’s Cybersecurity Action Panel (CAP) which advising CAQ and the AICPPA on effective cybersecurity auditing procedures.
ASSOCIATON OF GOVERNING BOARDS (AGB)
AGB represents the governing entities for US colleges and universities (Boards of Governors/Foundations/Executive Leadership). ISA worked with AGB to define best practices for cybersecurity for college and university leadership which were the basis for a handbook for university boards and institutions on cyber risk oversight. These principles and practices were then further developed ina text book Cybersecurity for Busines
WHARTON SCHOOL, UNIVERSITY OF PENNSYLVANIA
For the past several years the ISA “team-teaches” a course in cybersecurity as part of the Stonier Graduate Program in Executive Education. ISA President Clinton and a group of ISA Board members teach the course which covers the evolving threat of cyber-attacks and enterprise best practices used by ISA companies to address these threats.
EUROPEAN CONFERATION OF DIRECTORS ASSOCIATIONS (ecoDa)
ISA conducts workshops for ecoDa and ecoDa member organizations on cybersecurity and has collaborated on a pan-European version of the Cyber Risk Handbook.
JAPANESE BUSINESS FEDERATON
ISA collaborated on developing a cyber risk handbook for the Japanese market.
PARTNERSHIP ACTIVTIES AND ASSOCIATIONS (Government)
US Department of Homeland Security (DHS)
In addition to normal government industry collaboration, DHS has partnered with ISA on all four editions of the Cyber Risk Handbooks for corporate boards by providing a chapter on what industry should expect from government on cybersecurity. For the 2020 edition National Risk Management Center Director Kolasky authored the Forward. DHS and ISA also co-sponsored a panel at the RSA 2020 conference in San Francisco. In 2023 the Director of the DHS Cybersecurity and Infrastrcuture Security Agency (CISA), Jen Easterly provided the Forward for the Handbook. Mr Clinton is also a Subject Matter Expert for CISA’s Resillent Infrstructure Development Investmetn Working Group (RIPDIWG)
US DEPARTMENT OF JUSTICE
DOJ has provided a chapter for the 2017 and 2020 editions of the Cyber Risk Handbook on cybersecurity law enforcement services available to the private sector. In 2023 the FBI provided this section for the handbook.
German Federal Office of Information Security (BSI)
BSI collaborated with ISA on workshops in Germany on cyber risk oversight from the board level. Also collaborated with ISA in developing a German language adaptation of the Cyber Risk Handbook produced by ISA and NACD in 2020 and an updated version in 2023. BSI Director BSI distributes the handbook throughout Germany. Senior BSI Executives meet regularly with ISA during annual visits to the USA and Mr. Clinton does the same with BSI on trips to Europe.
ORGANIZATION OF AMERICAN STATES (OAS)
ISA and OAS collaborated on a series of in-region and web-based workshops on cyber risk management. Hundreds of Latin American based cybersecurity practitioners, academics, government officials and board members participated in the workshops and/or supplied written comments to drafts. The Result was a region-wide Cyber Risk handbook adapted specifically to the Latin American nations and culture distributed by OAS in English, Spanish and Portuguese.
SOCIAL MEDIA: RETHINK and FIX AMERICAN CYBERSECURITY CAMPAIGNS
In 2020 and 2021 ISA conducted its RE-Think Cybersecurity campaign via social media in an attempt to start a national conversation built around the need to vastly upgrade the public and private sector efforts on cybersecurity. Over 10,000 cyber practitioners, policy makers and academics signed up to join ISA’s to find more effective ways to address this critical issue. The “re-think”mantra was picked up and used regulary by senior cyber policy makers including the Chairs of the House and Senate Homalnd Secuity and Cybersecurity Subcommitties ans well as the Acting Director of CISA. In 2022 ISA and its partner 1631 Digitial received three national “Reed Awards” for the success of the campaign.
BOOKS
The Cybersecurity Social Contract, Internet Security Alliance 17 chapters/ 257 pages/ 24 authors Amazon: 2016). Edited by Larry Clinton and David Perera ABSTRACT: Book suggests the need for a theory of cyber security policy to guide effective action. Proposes building a cyber theory based on the “Economic Social Contract” which created the modern public utility model in the US and outlines specific policy options to adapt this theory to cybersecurity. Successive chapters, written by cyber practitioners, discusses how this theory and policies can be applied in the defense, healthcare, banking, utilities IT, telecommunications, education, manufacturing, and agriculture. Also includes chapters on privacy, corporate structure, board oversight, and improving the public private partnership.
Fixing American Cybersecurity: Creating a Strategic Public Private Partnership. Georgetown University Press Spring 2023 (scheduled) 14 chapters /16 authors. Edited by Larry Clinton ABSTRACT: Book maintains US cyber policy hasn’t changed substantially in 30 years and is failing on multiple measures. Suggests a core reason for this failure is an over emphasis on theology (how attacks occur) and not enough on economics (why attacks occur). Documents how adversaries as diverse as nation states and criminal enterprises have developed effective strategies that, if not countered, will raise enormous risk to the USA. Provides detailed analysis of why current tactics (law enforcement, regulating info sharing etc.) are failing and provides detailed structural and policy recommendations based on documented effectiveness of private sector programs. Subsequent chapters written by expert practitioners working in the sectors apply this analysis to defense, financial services, healthcare, IT, retail and utilities.
Cybersecurity for Business: Insuring Cyber Risk is NOT Just an IT Issue Kogan- Page Spring 2022 (scheduled) 12 Chapters /15 authors. Edited by Larry Clinton ABSTRACT: Book outlines the process involved in integrating the entire enterprise in a coordinated cyber risk management culture. Book argues that cyber must be understood as a strategic business issue and outlines how leading enterprises are now evolving their corporate structures to address cyber risk from an enterprise’s wide perspective. Documents how boards of directors internationally are gravitating toward consensus principles of cyber risk oversight and identities how management teams need to respond to accommodate this new understanding of cyber risk. Contains specific chapters, written by expert practitioners that describe how departments as diverse as IT, legal, HR, compliance, supply chain, must coordinate and describes how economic metrics needs to be integrated into a culture of cybersecurity across diverse functions ranging from IT operations to mergers acquisitions.
CHAPTERS IN BOOKS
“The Evolving Cybersecurity Threat and an Architecture for Addressing It” by Larry Clinton Navigating the Digital Age p37-43. Matt Rosenquist, Editor. Claxton Business and Legal, 2015
“A Cybersecurity Action Plan for Corporate Bords” by Larry Clinton and Ken Daly Navigating the Digital Age, p 65-71. Matt Rosenquist, Editor. Claxton Business and Legal, 2015
ARTICLES IN PROFESSIONAL JOURNALS
“What Are You Afraid of? Roles and Responsibilities in the Public Private Partnership to Secure Cyberspace” by Larry Clinton Cutter IT Executive Update Vo. 2 No 15-p.1-5 Cutter Consortium 2005
“Governance in the Age of IT” by Larry Clinton Cutter IT Journal of Information Technology Management Vol 18 NO 9 Cutter Consortium September 2005 P 13-19
“Insuring IT Security Without Regulation” by Larry Clinton Cutter IT Executive Update Vo. 3 No, 24 p.1-5 Cutter Consortium 2006
“Improving Security and Revenue Through Corporate Structure” by Larry Clinton Cutter IT Executive Update Vo. 3 No, 23 p.1-4 Cutter Consortium 2006
“Securing Cyberspace: Is it Time to Rethink our Strategy” by Larry Clinton Cutter IT Journal of Information Technology Management Vol 19 No. 1 January 2006 Cutter Consortium P3-5 (Larry Clinton Guest Editor)
“Securing Cyberspace: Exactly What Should We be Doing” by Larry Clinton Cutter IT Journal of Information Technology Management Vol 19 No. 5 May 2006 Cutter Consortium p 1-5 (Larry Clinton Guest Editor)
“Education’s Critical Role in Cybersecurity” by Larry Clinton Educause Review Vol 44 No 5 September -October 2009 EDUCAUSE Review p.60-62
“One Side Now: The Need to Adopt a Business Systems Approach to Cloud Security” by Larry Clinton Journal of Software Technology Vol 14 No 4 2011 DCS p 36-38
“A Relationship on the Rocks the Public Private Partnership for Cyber Defense” by Larry Clinton Journal of Strategic Security Vol 2 No4 Winter 2011
“A Theory to Guide US Cybersecurity Policy” by Larry Clinton Cutter IT Journal of Information Technology Management Vol 24 No. 5 May 2011 Cutter Consortium p 30-35
“Best Practices for Operating Public Private partnerships in Cyber Security by Larry Clinton Journal of Strategic Security Vol 8 No4 Winter 2015
“International Principles for Boards of Directors and Cybersecurity,” by Larry Clinton Cyber Security: A Peer Reviewed Journal, March 2021 (Expected)
ARTICLES IN GENERAL AND BUSINESS PRESS
“On the Record” by Larry Clinton Government Executive Magazine September 2003 P 84
“Waking the Castle” by Larry Clinton Business Management Magazine Spring 2004 P 51-52
“Can Congress Mandate Cybersecurity” Business Management Magazine Fall 2005 P 160
“Cybersecurity in the Board Room” by Larry Clinton April 19, 2014 USA Today
“Revolutions in Business; Cybersecurity is not just an IT Issue” by Larry Clinton, USA Today (April 2020)
TESTIMONY BEFORE GOVERNMENT BODIES
· 2003-10-23 Buenos Aries Argentina Organization of American States (OSA) Conference on Cybersecurity “What 9/11 Teaches Us About Information Sharing and Cybersecurity. Larry Clinton, President Internet Security Alliance (trip sponsored by US State Dept.)
· 2004-04-21 House Subcommittee on Technology, Information Policy, Intergovernmental Relations “Protecting Our Nation’s Cyber Space: Educational Awareness for the Cyber Citizen,” Larry Clinton, President, Internet Security Alliance (ISA)
· 2006-09-13 Subcommittee on Telecommunications and the Internet “Cybersecurity: Protecting America’s Critical Infrastructure, Economy, and Consumers,” Larry Clinton, President ISA
· 2007-10-31 House Homeland Security’s Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, “Enhancing and Implementing the Cybersecurity Elements of the Sector Specific Plans,” Larry Clinton, President, ISA
· 2008 -11-10 NATO Center for Cyber Excellence, Turin Estonia “The Cyber Security Social Contract” A theoretical Model for Cybersecurity,” Larry Clinton President ISA (trip sponsored by US State Department)
· 2009-05-01 House Subcommittee on Communications, Technology and Internet
Cybersecurity: “Network Threats and Policy Challenges,” Larry Clinton, President, ISA
· 2009-11-17 United States Senate Judiciary Committee, “Cybersecurity and the Advanced Threat, “Larry Clinton, President, ISA
· 2011-06-24 House Homeland Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, “Examining the Impact of the Obama Administration’s Cybersecurity Proposal,” Larry Clinton, President, ISA
· 2012-02-08 House Subcommittee on Communications and Technology Committee on Energy and Commerce, “Cybersecurity: Threats to Communications Networks and Private-Sector Responses,” Larry Clinton, President, ISA
· 2015-07-15 House Subcommittee on Science Oversight, “Developing Effective Metrics for Cybersecurity,” Larry Clinton, President, ISA
· 2016-08-08. House Government Reform Oversight Committee, What Government Can Learn from the Private Sector on Cybersecurity, Larry Clinton, President, ISA
· 2019 -09-27 OAS Conference on Cybersecurity “A Cyber Risk Handbook for Latin American Corporate Boards,” Larry Clinton, President ISA (sponsored by OAS)
· 2020 -2-4 G-20 Committee on Digital Economy, Riyadh Saudi Arabia “Addressing the Economics of Cyber Security,” Larry Clinton, President ISA (sponsored by G-20)
ISA BEST PRACTICES PUBLICATIONS
A COMMONSENSE GUIDE FOR SENIOR MANAGERS Senior Mangers: TOP TEN RECOMMENDED Information SECURITY PRACTICES. ISA July 2002
COMMON SENSE GUIDE TO CYBERSECURITY FOR SMALL BUSINESSES: A 12 STEP PROGRAM FOR INFORMATION SECURITY ISA MARCH 2004 (endorsed by DHS, NAM, ABA, NFIB Staysafeonline)
COMMON SENSE GUIDE TO PREVENTION AND DETECTION OF INSIDER THREATS By Dawn Cappeli ISA and Carnegie Mellon University CyLab 2006
CONTRACTING FOR INFORMATION SECURITY IN COMMERCIAL TRANSACTIONS: AN INTRODUCTORY GUIDE ISA 2007 (sponsored by Information Systems Security Association)
THE FINANCIAL IMPACT OF CYBER RISK: 50 QUESTIONS EVERY CFO SHOULD ASK ABOUT CYBERSECURITY, ISA and The American National Standards Institute –ANSI (2008)
NAVIGATING COMPLIANCE AND SECURITY FOR UNIFIED COMMUNICATIONS, ISA (2009)
THE FINANCIAL MANAGEMENT OF CYBER RISK: AN IMPLEMENTATION FRAMEWORK FOR CFOS ISA and ANSI) (2010)
THE FINANCIAL IMPACT OF BREACHED PROTECTED HEALTH INFORMATION: A BUSINESS CASE FOR ENHANCED PHI SECURITY ISA, ANSI AND SHARED SSESSMENTS (2012)
THE ADVANCED PERSISTENT: PRACTICAL CONTROLS THAT SMALL AND MEDIUM BUSNESS LEADERS SHOULD CONSIDER IMPLEMENTING, ISA 2013
CYBER RISK OVERSIGHT DIRECTOR’S HANDBOOK (first edition) prepared by Larry Clinton
National Association of Corporate Directors and ISA 2014
MANAGING CYBER RISK: A HANDBOOK FOR GERMAN BOARDS prepared by Larry Clinton and Stacey Barrack (2016) ISA and the German Federal Office of Information Security (BSI) (available in German and English) (first edition 2017, second edition in dvelopment)
CYBER RISK HANDBOOK FOR LATIN AMERICAN BOARDS prepared by Larry Clinton and Josh Higgins ISA and the Organization of American States (available in Spanish, Portuguese and English) (2019)
The Cyber Risk Handbook for Pan European Boards of Directors (2020) prepared by Larry Clinton and Josh Higgins ISA with The European Confederation of Directors’ Associations (ecoDa)
Cyber Risk Oversight 2020 prepared by Larry Clinton ISA and NACD 2020 (third edition)
The Cyber Risk Handbook for Japanese Boards (2020) ISA and Japanese Business Federation
The Cyber Risk Handbook for Asian Region (2021) ISA and AIG
The Cyber Risk Handbook for Higher Educational Institutions (2021) ISA and Association of Governing Boards USA
PUBLIC POLICY WHTE PAPERS
THE CYBER SECURITY SOCIAL CONTRACT: POLICY RECOMMENDATIONS FOR THE OBAMA ADMINISTRATION AND 111TH CONGRESS, Internet Security Alliance (2008)
SOCIAL CONTRACT 2.0: A 21ST CENTURY PROGRAM FOR EFFECTIVE CYBER SECURITY, Internet Security Alliance (2009)
“IMPROVING OUR NATIONS SECURITY THROUGH THE PUBLIC PRIVATE PARTNERSHIP,” The Internet Security Alliance, in conjunction with the US Chamber of Commerce, TechAmerica, BSA and the Center for Democracy and Technology (2011)
AWARDS
· “Excellence in Collaboration” from On-Line Trust Alliance 2010
· Corporate 100” List of the Most Influential Individuals in Corporate Governance from National Association of Corporate Directors 2015
· Editor’s Choice Award from SC Magazine 2016
· “Corporate 100” List of the Most Influential Individuals in Corporate Governance from National Association of Corporate Directors 2017
· “Leadership Award” from Association of Certified Fraud Examiners 2017
· “Honor Roll” from Cyber Future Foundation 2018
· Board Leadership Fellow Award NACD 2019
· National Cyber Summit (India) Outstanding Contributions to Infrastructure Security 2019
· Reed Award for Best Public Interst Camaign 2022
· Reed Award for Best Use of Market Targeting 2022
· Reed Award for Best Use of Advanced Metrics 2022
OTHER PROFESSIONAL BACKGROUND
Campaign Manager Jakobsson for Congress (1983/84)
Communications Director then Legislative Director Congressman Terry Bruce (D-Ill-19) 1984-1987. Responsible for Energy and Commerce Committee and Science and Technology Committee
Legislative Director for Congressman Rick Boucher (D-VA-9) 1987-1990 Responsible for Energy and Commerce Committee/Telecommunications and Finance Subcommittee & Science and Technology Committee
Vice President Large /Company Affairs United States Telephone Association (1990-2002)
EDUCATION
Iona College New Rochelle NY BA Communications
University of Maryland, College Park MD MA Political Communications
University of Illinois Champaign Urbana Illinois coursework for PhD in Communication Theory (ABD inactive)