mark@gelhardt - cio summits by cdm media · 2013. 6. 6. · the ciso job is to get the company to...

By Mark D. Gelhardt, Sr. [email protected]

5/1/2013 1

We will discuss the W’s of the CISO: ◦ Where did the CISO come from? ◦ Who is today’s CISO? How did he/she get there? ◦ What does he do today and Why did the CISO get these

tasks? ◦ When did all these tasks come to the CISO role? ◦ Where is the CISO going? How is the CISO going to

survive and even thrive in tomorrows future?

Take a way: ◦ This briefing is met to open dialogue and create debate

on the position of the CISO. ◦ Using past history, today's events, and debate to shape

the future of the CISO.

Author: Mark Gelhardt, [email protected] 2 5/1/2013

1930 - Communications Security – using encryption came mostly out of WWII ◦ Enigma Machines – Germany during WWII

1968 – Cold War – ARPANET Program Published/declassified ◦ First discussions on password security.

1970 – The Microprocessor brought the PC and a new age 1973 – Robert Metcalfe ID’ed fundamental problems with ARPANET Security 1978 – Protection Analysis Final Report published exposing numerous

ARPANET security violations. 1979 – Password Security: A Case History, published 1980 – Decentralization of data processing systems gave rise to networking. 1990 – Networking resources made available to the general public 1995 – Internet starts to become generally available

Communication Security =>Network Security =>Information Security

1/17/2013 Author: Mark Gelhardt,

[email protected] 3


[email protected] 4

Increasingly Strategic Role in the Business

Increasingly Integrated into the business

Increasingly Managerial, collaborative and communicative, rather than primarily technical

Influencers, protectors, responders

Starting to Assume a business leadership role

Translate InfoSec and Cyber risk from tribal IT language to business language - risk and business impact.

Teaching to business that security is more than technology it is people and process.


[email protected] 5

Making IS Security Strategic to the Business The CSO should be a Strategic Position within the Organization:

◦ This is not handed out, but needs to be earned by demonstrating and understanding of the business, organizational management, and a willingness to establish interpersonal relationship with the business.

Attempt to establish a senior management position that understands the relevance to IT risks to the organization: ◦ Be cognizant that they need to reconcile their responsibilities to protect

information with their goals of managing budgets and costs.

Make Security Relevant to the Organization: ◦ You need to make sure that your executives understand how security is

relevant to their objectives.

Develop the investment opportunity: ◦ Show improvements to their bottom line or enabling the save dollars


[email protected] 6

Typically, the CISO's Responsibilities include:

Information security and Information assurance Information regulatory compliance (e.g., US PCI-DSS, FISMA,

GLBA, HIPAA, SOX; UK Data Protection Act 1998; Canada PIPEDA) Information risk management Information technology controls for financial and other systems Information privacy Computer Emergency Response Team / Computer Security

Incident Response Team Identity and access management Information security architecture IT investigations, digital forensics, eDiscovery Disaster recovery and business continuity management Information Security Operations Center (ISOC)

Ref: Wikipedia, dtd May 2013


[email protected] 7

SKILLS CHECKLIST

Business knowledge Information risk management Information governance Consulting and advisory Compliance Privacy Metrics and data analytics Change management Communications Organizational behavior and psychology

Ref: John Pironti, article, dtd 15 Jan 2013, InfoSecurity Mag


[email protected] 8

Information Security Strategic Planning ◦ Research ◦ Design ◦ Consulting ◦ Budget ◦ Liaison with Business

Information Security Operations - Tactical ◦ Monitoring – Logs/Firewalls/IDS/IPS/WAF ◦ Vulnerability Assessment ◦ Identity and Access Management

Incident Response (Business Continuity/Disaster Recovery) ◦ Forensics

Risk Management ◦ Risk Assessment

Compliance Operations ◦ Policy and Standards ◦ Security Training and Awareness


[email protected] 9

Making IS Security Tactical to the Business Integrate the security program with the companies

business strategies: ◦ And show how protecting resources and information is a

competitive advantage

Provide executives an understanding of the IT Risk: ◦ Make it real using risk quantification and potential impacts of an

incidents, such as breach, PCI, etc.

Build and Document the IT Security Strategy: ◦ Including a detailed road map, defined goals and milestone.

Measure progress, achievement and report to executive leadership.

Develop good informative Metrics: ◦ Provide basis for value of security investments and how you

current program manages risk.


Risk Management: ◦ Ensuring that appropriate business & technical assessment are utilized to

understand and classify assets and communicate their associated risk ◦ Working as a trusted advisor to the business in mitigating their risk to an

acceptable business level

Knowledge Transfer: ◦ Creating awareness of cyber threats, creating a security minded culture

where employees take ownership for the security of their information assets and ensure compliance with policies

◦ Utilize marketing segmentation to convey messages

Managing Cyber Threats: ◦ Stopping/mitigating malware and hackers from stealing data and

compromising enterprise security, both internal and external

Managing Data Loss Potential: ◦ Developing a operational and effective information life cycle program with

data classification, records retention, assess control to business internal, confidential or highly confidential documents


[email protected] 11

Reactive/Inconsistent/Ineffective ◦ Constant shift in Threat Landscape ◦ Zero day vulnerabilities, denial of service

Unable to convey its business value ◦ Not viewed as a business enabler ◦ Not aligned with business goals

Driven by Compliance, NOT Security ◦ Ever increasing number of regulations/mandates -

PCI, HIPAA, SOX, GLBA ◦ Organization used compliance to tactically address

security issues ◦ Point in time security – not pervasive




Compliance can be used to advance security agenda. Compliance can foster a risk management culture. Compliance can be a by-product of a good security

posture. Compliance is merely a security performance

indicator.

But make sure that compliance doesn’t lead to a false sense of security!!!

Technology Changes: - Mobility - Social Media - Cloud - Big Data

Privacy Issues (U.S/State/International) More Laws on what to do and not do More Compliance Requirements More Hackers, easier entry, anyone can do it Nation States/Cyber Warfare

ETC, All the things we can’t think of today

that will be here tomorrow.



Must understand risk assessments and analysis as a basic premise for the role of the CISO ◦ Business is all about risks and Information Security risks are just another risk to be

managed and assumed by the business.

Must demonstrate a sense of both Business and Technical balance bringing the ability to weight risks and threats against the business return.

Must be able to contribute to a wider business and information risk discussion and help the company make the “right” decisions associated with their resources and overall risk tolerance.

Must develop appropriate Information Security risk mitigation strategies based upon “real threats”, “real risks”, and not “worst case scenario”.

Must integrate security as part of the firms innovation – leading the firm into territories requiring integrated security into innovation.

Must understand the finance and economics do matter. Must understand and exploit the corporate or business culture to obtain

funding to secure the enterprise.


The CISO job is to get the company to understand the risks and threats to the Business and to it’s Information Assets/Data.

The CISO must play the role of the “Chief Evangelist” and engage the business in the security process.

The CISO must stay focused on creating a security minded culture where all employees take ownership for the security of their information assets.

Most importantly - The CISO must change with the threats, with the business environment, with the economy.

Are you ready for CHANGE?



Over 35 years of experience in providing Executive Level management, IT Operations, and Information Security.

During his 22 years in the military Mark had the honor of working in the White House Communications Agency as the CIO/CISO for President Clinton, the VP, the White House Staff, and the U.S. Secret Service, providing all the classified automation and telecommunications services.

Since retiring from the Army and joining the civilian sector Mark has had the opportunity of working as:

Senior IT, Security, & Facilities Executive (CIO/CSO) of World Airways – the largest US wide body long-hall charter airline.

Senior IT Executive Global IT Operations & Security (Deputy CIO/CISO) of InterCall - the world’s largest conferencing company.

President/Chief Consultant of Gelhardt IT Consulting – providing Executive Consulting services in Project Management, Data Center Operations, IT Operations, IT Executive Education and Support, and Executive Information Security support.

Mark’s current position is as the Senior Information Security Officer (CISO) for TravelClick - a Software as a Service (SaaS) company supporting the hospitality industry working with over 30,000 hotels worldwide.



mark@gelhardt - cio summits by cdm media · 2013. 6. 6. · the ciso job is to get the company to...

Documents