a day in the life of a ciso (and advice for people looking to come into the ciso role)
TRANSCRIPT
A day in the life of a CISO
Dimitrios Stergiou (@dstergiou)
• Dimitrios Stergiou (@dstergiou)
• CISO @ NetEnt, then CISO @ MTG
• 18 years InfoSec experience (engineer, consultant,
manager)
• Mini bio:
– Greek (and Swede)
– Loves: InfoSec, Social Engineering, Economics, Video
games
– Hates: Vegetables, Rain, Pronouncing “j” as “y”
DisclaimerDISCLAIMER
I don’t have the ultimate truth
But I am also NOT trying to sell
you anything
Listen, question and take
everything with a grain of salt
NetEnt
So, what does a CISO do?
The team:
• CISO
• Security architect
• InfoSec Engineer(s)
• AppSec Engineer(s)
The side team:
• Legal
• Compliance
• Operations
• Development
• HR
A typical day in the life of a CISO (based on empirical data)
• 01:00 – Check the Internet for impending doom
• 01:30 – Sleep (if no impending doom)
• 07:30 – Wake up, have breakfast, take gnome to school
• 08:30 – Read email on the bus
• 09:00 – Arrive at the office
• 09:15 – Review the changes in CAB and approve or reject
• 09:30 – Reply to urgent emails that I read but can’t reply while on the phone
• 10:00 – Review of threat intelligence, security dashboards
• 10:15 – Daily meeting with the team
• 10:30 – Daily check with Legal, Compliance, HR
• 11:00 – Quick coffee with CIO, CTO, make sure nothing is exploding
• 11:20 – Poke head into CEO’s office to ask for more security budget
• 11:30 – Lunch (usually with the team or the head of the teams that we “need”)
• 13:00 – Politely hang up on vendors that offer the dream solution
• 13:30 – Meeting, meeting and meeting
– New technologies that developers want to introduce
– Security requirements for a new application
– How does GDPR affects our privacy policies
– Plan next year’s awareness training
– Review of new corporate software
– Entry into new markets
– Business Continuity update
• 16:00 – Remind the C-level execs that we need to review the risk registry
• 17:00 – Leave the office
• 17:30 - Keep reading mail on the bus
• 18:00 – Arrival at home
• 22:00 – Family is asleep, knowledge build up
Goals
The main goal
15
25
60
Pie of Doom
What I know What I know I don't know What I don't know I don't know
Less red, more of the other colors
• Ensure the C-level execs are comfortable with the risk appetite
• Ensure I am comfortable with how we treat risks
• Balance risk and cost
• Run an effective team
• Establish top-notch incident management
• Use resources and knowledge outside my team effectively
• Prioritize works based on risk
• Help my team grow
• Be a servant leader
What about you?
CISO does… Policy
Governance
Strategy
People
Business enablement
Compliance
Architecture
Helping others
Expect to be heavily involved in all of these
areas!
What do I need to know to become a CISO?
• Risk management is king
• Risk cannot be eliminated
• Risk is everywhereRisk management
• Doesn't really matter where you report
• Lead with attitude, not with authorityReporting
• Operations background is fine
• Development background is fine
• People background is fineBackground
• Make friends fast
• Support peers
• Respect people (no matter what)
• Learn the metaRelationships
• Know your company (and divisions)
• Know the business environment
• Learn how to researchBusiness
• Evangelize security in your organization
• Know how to “sell” security to different C-level execs
• Speak business not technologySales