CISO90DayPlan

NelsonChen,M.SC.ITCISSP,CISA,CISM

Agenda

•  Whyarewehere?•  Days0–30•  Days31–60•  Days61–90•  Days90+•  Infinity&Beyond

AvoidingReallyBadNews!

<Your Company Name Here>

Data Breach!

Don’tbetheBlocker!

MAYBE

Don’tbetheProphetofDoom

ToughestPartoftheJob

CISOPost-Breach

0-30

EstablishingRelationships&Trust

SellingCISOasaService

•  Businessenablement•  FUDisnottheonlypitch•  Education•  Sharedresponsibility•  Getsupportandbuy-in•  AddValue!

TakingInitialInventory•  OrganizationalStructure-Who’swho– Execs,BULeaders,ITOps,InternalAudit

•  ExistingPolicies,Processes,etc.•  ExistingTechnologies•  Where’stheData?•  HistoricalSecurityIncidents•  ShadowIT

LeadingTowardsBetterSecurity

ServantLeadership

SecuritySurroundsus,PenetratesusandBindsusTogether

31-60

Prioritizing&ProjectKickoff

BacktoBasics-CIATriad

Keepingitsecret

Keepingittogether

CentralOregonCommunityCollege

Keepingitup

Fox-inorFox-out?

TeamorCommittee?

SecurityTeamBuilding•  BUInfoSecOfficers–Legal,Finance,Sales,Marketing,HR,Development,IT,etc

•  Committeedriven•  Executivesponsor•  Internalauditisyourfriend•  Wherearealltheresources?

KissPNG

SecurityCommitteeGoals

•  BusinessSecurityMissionStatement•  AligningsecuritywitheachBU

-whatareweprotecting?

•  Takingdetailedinventory– Processes,Systems,Data,People

•  Budgetize,Prioritize,Projectize•  ReportingdirectlytoC-levels

KissPNG

SecurityAssessment&GapAnalysis

•  CapabilityMaturityModel(CMMI)•  CybermaturityPlatform

CMMIInstitute

Level5

Initial

Level1

Processesareunpredictable,poorlycontrolled,reactive.

Managed

Level2

Processesareplanned,documented,performed,monitored,andcontrolledattheprojectlevel.Oftenreactive.

Defined

Level3Processesarewellcharacterizedandunderstood.Processes,standards,procedures,tools,etc.aredefinedattheorganizational(OrganizationX)level.Proactive.

QuantitativelyManaged

Level4Processesarecontrolledusingstatisticalandotherquantitativetechniques.

Optimizing

Processperformancecontinuallyimprovedthroughincrementalandinnovativetechnologicalimprovements.

CMMI–5Levels

WTF-OMGCompliance

HowandWheretoFocus?

TheCybersecurityHubonTwitter

CriticalBusinessProcesses

Apttus

PatchManagementisParamount!

NationalLibraryofAustrailia

DataInventory•  What,where,why,when&how•  Followthedatatrail•  Backups•  End-usercomputers•  Storagemedia•  Archivedapplications•  What’sintheCloud?

DataClassification

•  Public,Internal,Confidential,Secret•  PII:Customer&Employee•  DefinedRepositories•  CommensurateSecurityLevels•  ManagedDataLifeCycle

SecurityPolicy•  ComplianceDriven•  BusinessDriven•  Ownership•  3rdparty•  CustomerInput•  Training•  ControlsDesign&Mapping

–  CloudControlsMatrix(CCM)-CloudSecurityAlliance

61-90

BuildingSecureFoundations

SecurityvsSecurityOperations

SecOps

Wordpress

SecurityAwarenessTraining

•  BusinessUnitRelevance•  JointdeliverywithBU-ISO•  Compliancedriven•  Sec-Dev-OpsTraining•  Relevant3rdPartytraining

ApplicationSecurity•  Everycompanyisatechnologycompany

•  In-housevs3rdParty•  SecureSDLC•  Training•  yourWebapp!

Verizon2018DBIR

BusinessContinuity

•  BusinessProcessDriven•  DisasterRecovery– DefinedRTOs&RPOs

•  BackupStrategy•  DenialofService•  Testing

StepupIT

PreparefortheWorst

DataBreachPreparedness•  BreachScenarioPlanning•  Table-topExercises•  DecisionTree•  Detection&Logging•  ContactLists•  Time-to-Notify•  Bitcoins?!

DataBreachResponse

Plan

INCASEOFEMERGENCYBREAKGLASS

Customer-FacingSecurity

•  SecuringClientServices•  SupportingSales•  CustomerSecurityCompliance•  VendorSecurityQuestionnaires•  LegalAgreements–SecurityLanguage

90+

SecurityisaBoard-levelProblem

Andamessagefromthe

•  OnNovember1,2018,DataBreachNotificationLawswillbeenforcedinCanada

KEEPCALMDOTHE

RIGHTTHINGANDCYA

TheTribeHasSpoken…

NOT ME

ChiefI’mtheScapegoatOfficer

Questions?