ciso’s first 120 days - information assurance | isaca · ciso’s first 120 days ... the ciso is...
TRANSCRIPT
CISO’S FIRST 120 DAYS
EXPERT ADVICE AND LESSONS LEARNED
• Top-most dedicated technology security role
in the organization (as defined by the
company structure)
• Might or might not report to the CEO
• May be the CSO, VP Information Security, or
similar
What is a CISO?
CISO as a Technologist
ISO 27001 - CISO• Compliance
– Remain in continuous contact with authorities and special interest groups
– Coordinate all efforts related to personal data protection
• Documentation– Responsible for creating, reviewing, and updating main documents
• Risk management– Teach employees how to perform risk assessment
– Coordinate the whole process of risk assessment
• Human resources management– Training and awareness
– Ensuring background checks
• Relationship with top management– Propose information security objectives
– Report on the results of measuring
– Propose security improvements and corrective actions
– Propose budget and other required resources for protecting the information
– Notify top management about the main risks
– Advise top executives on all security matters
• Improvements
• Asset management
• Third party management
• Communication
• Incident Management
FISMA Senior Agency Information Security Officer
• Performing information security duties as the primary duty
• Ensure agency compliance with information security requirements
• Assess risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency
• Develop and maintain information security policies, procedures, and control techniques
• Provide adequate information security for networks, facilities, and systems or groups of information systems
• Ensuring that agency personnel, including contractors, receive appropriate information security awareness training
• Training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities
• Periodically testing and evaluating the effectiveness of information security policies, procedures, and practices
• Establishing and maintaining a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency
• Developing and implementing procedures for detecting, reporting, and responding to security incidents
• Ensuring preparation and maintenance of plans and procedures to provide continuity of operations for information systems that support the operations and assets of the agency
• Supporting the agency CIO in annual reporting to the agency head on the effectiveness of the agency information security program, including progress of remedial actions.
NIST SP 800-100 Information Security Handbook: A Guide for Managers
FFIEC - CISOThe CISO is “a strategic and integral part of the business management team”
• Implementing the information security strategy and objectives, as approved by the board of directors, including strategies to monitor and address current and emerging risks.
• Engaging with management in the lines of business to understand new initiatives, providing information on the inherent information security risk of these activities, and outlining ways to mitigate the risks.
• Working with management in the lines of business to understand the flows of information, the risks to that information, and the best ways to protect the information.
• Monitoring emerging risks and implementing mitigations.
• Informing the board, management, and staff of information security and cybersecurity risks and the role of staff in protecting information.
• Championing security awareness and training programs.
• Participating in industry collaborative efforts to monitor, share, and discuss emerging security threats.
• Reporting significant security events to the board, steering committee, government agencies, and law enforcement, as appropriate.
IT Management Handbook 2015
CISO as a Business Executive
Forrester says
SC Magazine
• Technical leader or Policy Writer :
– Thought leader
– Strong understanding of technology
– Able to make things happen
– Able to articulate complex technical issues and
risks effectively
http://www.scmagazine.com/what-are-the-duties-of-a-ciso-it-depends/article/304601/
CSO Magazine
• Organizational Readiness:
– Data Breach experience makes a difference
– Ability to influence and affect employee behavior
– Authority to report progress and challenges
– Receive corporate support should the inevitable
‘security event’ happen
http://www.csoonline.com/article/2122505/infosec-careers/it-careers-what-is-a-chief-security-officer.html
CIO Magazine• Business acumen and analytics
• Creativity and innovation
• Business-to-business communication
• Relationships, influence and presence
• People leadership
Ability to define a vision, secure support for that vision with the board and the C-suite, marshal the resources and talent required
to translate that vision into reality, and engage the broader employee population to become champions for information
security.
http://www.cio.com/article/2367504/security0/inside-the-changing-role-of-the-ciso.html
First days
Gartner Says
• Key Findings:
– Understand business requirements and expectations
– Communicate how those expectations have been met
– Be a leader and a communicator, not a technologist
– Establish credibility
– Lay the foundation for a sound security program
A strong plan established in the first 100 days leads to overall success
Gartner Says
First 100 Days
McKinsey and Co.
• Start the first 100 days before your first day
• Clarify and strengthen your mandate
• Build relationships with business unit executives and agree upon priorities
• Develop the plan
• Build your team
• Rally the IT organization
• Demonstrate leadership through visible results and actions
• Continue your personal journey
Day
s
0
101
CSO Magazine• Learn the business before you start trying to implement any type of changes.
• Come across as likeable, credible, and the person that can get things done.
• It is imperative that CSOs show everyone they work with that they are a trusted resource, not the “loose cannon” that is unpredictable.
• CSOs need to learn to become the “trusted adviser” up and down the corporate ladder.
• It is very important to have relationships with the network, communication, telephony guys and mot just with the board and C-suite
• Have an independent risk-based security assessment -- look at governance and operation. It helps to have engagement with the board of directors.
• The CISO needs to be business savvy and all encompassing
http://www.cso.com.au/article/590726/what-csos-should-do-their-first-days/
Shortlist – Technical
• Understand your compliance environment –
regulatory and industry
• Do a security gap assessment
• Do an enterprise risk assessment
• Assess your staff and don’t be afraid to make
changes
Shortlist – Nontechnical• Get to know your new business
• Understand your compliance environment – regulatory and industry
• Listen to the “old guard” but develop your own opinions
• Manage up
• Manage your peers
• Manage down
• Hire the right people
• Don’t be afraid to manage someone out
• Learn to write well/speak with authority
If you don’t have the skill, learn it
WSJ: “enhance your manager's work”, “be
described as indispensable”
“Doing what you can to make
your manager's job easier
will help them do their job”
Manage up
Managing up
• Give your staff and your peers in other areas
of the business the information to make
appropriate decisions
• Support your staff in their decisions
• Counsel and mentor when things go wrong
Manage Down and Across
Presenting to the Board
Rank Identified Element TargetMultipliers Risk
Co In Av Im Pr Total Status ForecastLast
Q
Pri
ori
ty T
asks
1 Event monitoring and incident response June 2016 5 3 5 15 15 2925
2Lack of global incident response program and
processEOY 2016 5 3 5 15 13 2535
3 Lack of data use security controls with Siebel September 2016 5 5 1 15 15 2475
4 Inefficient and insufficient security framework EOY 2016 5 5 5 13 11 2145
5 Lack of secure coding practices September 2016 5 3 1 15 15 2025
6 Risks around Core Nav Tools 2017-18 5 5 5 13 10 1950
7 Insufficient access controls at the network layer EOY 2016 4 4 1 15 13 1755
8Lack of a business-driven continuity of business
planEOY 2016 1 5 5 15 10 1650
9 Network Penetration test remediation September 2016 5 5 5 15 7 1575
10 Lack of a Risk Management over suppliers June 2016 3 3 5 15 8 1560
Be
st E
ffo
rt
11 (new) Inadequate use of Data Loss technologies May 2016 5 5 1 10 10 1100
12 System Age: Lakeshore Call Center Infrastructure EOY 2016 1 3 5 12 10 1080
13 Dated and inefficient Risk management processes September 2016 4 5 1 10 10 1000
14 (new)Inappropriate employee/contractor access to
filesharesTbd 5 5 5 10 3 450
15 (new)Locations of sensitive information poorly
understoodTbd 5 1 1 10 5 350
= positive trend
= negative trend
= stable
Risk Status
= fully complete
= zero progress
= Critical but no movement
Board Deck: Top IT Risks
Risk Multipliers
Confidentiality (Co): Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. (Parameters: 1 to 5)
Integrity (In): Guarding against improper information modification or destruction. (Parameters: 1 to 5)
Availability (Av): Ensuring timely and reliable access to and use of information. (Parameters: 1 to 5)
Impact (Im): The effect of a loss of Confidentiality, Integrity, or Availability. (Parameters: 1 to 15)
Probability (Pr): The likelihood that an event may occur. (Parameters: 1 to 15)
Risk=(Co+In+Av)×(Im×Pr)
Risk is currently assessed against the CIS
Critical Security Controls (formerly SANS
Top).
In 2016, the NIST Risk Management Framework
using NIST the CIS Critical Security Controls
while to support the legacy risk management
system.
Tell the board what they need to know
Lest they tell you
Stay away from this
Use something like this
Present your ISMS in simple terms
Questions?
