mark@gelhardt - cio summits by cdm media · 2013. 6. 6. · the ciso job is to get the company to...
TRANSCRIPT
By Mark D. Gelhardt, Sr. [email protected]
5/1/2013 1
We will discuss the W’s of the CISO: ◦ Where did the CISO come from? ◦ Who is today’s CISO? How did he/she get there? ◦ What does he do today and Why did the CISO get these
tasks? ◦ When did all these tasks come to the CISO role? ◦ Where is the CISO going? How is the CISO going to
survive and even thrive in tomorrows future?
Take a way: ◦ This briefing is met to open dialogue and create debate
on the position of the CISO. ◦ Using past history, today's events, and debate to shape
the future of the CISO.
Author: Mark Gelhardt, [email protected] 2 5/1/2013
1930 - Communications Security – using encryption came mostly out of WWII ◦ Enigma Machines – Germany during WWII
1968 – Cold War – ARPANET Program Published/declassified ◦ First discussions on password security.
1970 – The Microprocessor brought the PC and a new age 1973 – Robert Metcalfe ID’ed fundamental problems with ARPANET Security 1978 – Protection Analysis Final Report published exposing numerous
ARPANET security violations. 1979 – Password Security: A Case History, published 1980 – Decentralization of data processing systems gave rise to networking. 1990 – Networking resources made available to the general public 1995 – Internet starts to become generally available
Communication Security =>Network Security =>Information Security
1/17/2013 Author: Mark Gelhardt,
1/17/2013 Author: Mark Gelhardt,
Increasingly Strategic Role in the Business
Increasingly Integrated into the business
Increasingly Managerial, collaborative and communicative, rather than primarily technical
Influencers, protectors, responders
Starting to Assume a business leadership role
Translate InfoSec and Cyber risk from tribal IT language to business language - risk and business impact.
Teaching to business that security is more than technology it is people and process.
5/1/2013 Author: Mark Gelhardt,
Making IS Security Strategic to the Business The CSO should be a Strategic Position within the Organization:
◦ This is not handed out, but needs to be earned by demonstrating and understanding of the business, organizational management, and a willingness to establish interpersonal relationship with the business.
Attempt to establish a senior management position that understands the relevance to IT risks to the organization: ◦ Be cognizant that they need to reconcile their responsibilities to protect
information with their goals of managing budgets and costs.
Make Security Relevant to the Organization: ◦ You need to make sure that your executives understand how security is
relevant to their objectives.
Develop the investment opportunity: ◦ Show improvements to their bottom line or enabling the save dollars
5/1/2013 Author: Mark Gelhardt,
Typically, the CISO's Responsibilities include:
Information security and Information assurance Information regulatory compliance (e.g., US PCI-DSS, FISMA,
GLBA, HIPAA, SOX; UK Data Protection Act 1998; Canada PIPEDA) Information risk management Information technology controls for financial and other systems Information privacy Computer Emergency Response Team / Computer Security
Incident Response Team Identity and access management Information security architecture IT investigations, digital forensics, eDiscovery Disaster recovery and business continuity management Information Security Operations Center (ISOC)
Ref: Wikipedia, dtd May 2013
1/17/2013 Author: Mark Gelhardt,
SKILLS CHECKLIST
Business knowledge Information risk management Information governance Consulting and advisory Compliance Privacy Metrics and data analytics Change management Communications Organizational behavior and psychology
Ref: John Pironti, article, dtd 15 Jan 2013, InfoSecurity Mag
1/17/2013 Author: Mark Gelhardt,
Information Security Strategic Planning ◦ Research ◦ Design ◦ Consulting ◦ Budget ◦ Liaison with Business
Information Security Operations - Tactical ◦ Monitoring – Logs/Firewalls/IDS/IPS/WAF ◦ Vulnerability Assessment ◦ Identity and Access Management
Incident Response (Business Continuity/Disaster Recovery) ◦ Forensics
Risk Management ◦ Risk Assessment
Compliance Operations ◦ Policy and Standards ◦ Security Training and Awareness
5/1/2013 Author: Mark Gelhardt,
Making IS Security Tactical to the Business Integrate the security program with the companies
business strategies: ◦ And show how protecting resources and information is a
competitive advantage
Provide executives an understanding of the IT Risk: ◦ Make it real using risk quantification and potential impacts of an
incidents, such as breach, PCI, etc.
Build and Document the IT Security Strategy: ◦ Including a detailed road map, defined goals and milestone.
Measure progress, achievement and report to executive leadership.
Develop good informative Metrics: ◦ Provide basis for value of security investments and how you
current program manages risk.
Author: Mark Gelhardt, [email protected] 10 5/1/2013
Risk Management: ◦ Ensuring that appropriate business & technical assessment are utilized to
understand and classify assets and communicate their associated risk ◦ Working as a trusted advisor to the business in mitigating their risk to an
acceptable business level
Knowledge Transfer: ◦ Creating awareness of cyber threats, creating a security minded culture
where employees take ownership for the security of their information assets and ensure compliance with policies
◦ Utilize marketing segmentation to convey messages
Managing Cyber Threats: ◦ Stopping/mitigating malware and hackers from stealing data and
compromising enterprise security, both internal and external
Managing Data Loss Potential: ◦ Developing a operational and effective information life cycle program with
data classification, records retention, assess control to business internal, confidential or highly confidential documents
5/1/2013 Author: Mark Gelhardt,
Reactive/Inconsistent/Ineffective ◦ Constant shift in Threat Landscape ◦ Zero day vulnerabilities, denial of service
Unable to convey its business value ◦ Not viewed as a business enabler ◦ Not aligned with business goals
Driven by Compliance, NOT Security ◦ Ever increasing number of regulations/mandates -
PCI, HIPAA, SOX, GLBA ◦ Organization used compliance to tactically address
security issues ◦ Point in time security – not pervasive
Author: Mark Gelhardt, [email protected] 12 5/1/2013
5/1/2013 Author: Mark Gelhardt,
Compliance can be used to advance security agenda. Compliance can foster a risk management culture. Compliance can be a by-product of a good security
posture. Compliance is merely a security performance
indicator.
But make sure that compliance doesn’t lead to a false sense of security!!!
5/1/2013 Author: Mark Gelhardt,
5/1/2013 Author: Mark Gelhardt,
5/1/2013 Author: Mark Gelhardt,
5/1/2013 Author: Mark Gelhardt,
Technology Changes: - Mobility - Social Media - Cloud - Big Data
Privacy Issues (U.S/State/International) More Laws on what to do and not do More Compliance Requirements More Hackers, easier entry, anyone can do it Nation States/Cyber Warfare
ETC, All the things we can’t think of today
that will be here tomorrow.
5/1/2013 Author: Mark Gelhardt,
Must understand risk assessments and analysis as a basic premise for the role of the CISO ◦ Business is all about risks and Information Security risks are just another risk to be
managed and assumed by the business.
Must demonstrate a sense of both Business and Technical balance bringing the ability to weight risks and threats against the business return.
Must be able to contribute to a wider business and information risk discussion and help the company make the “right” decisions associated with their resources and overall risk tolerance.
Must develop appropriate Information Security risk mitigation strategies based upon “real threats”, “real risks”, and not “worst case scenario”.
Must integrate security as part of the firms innovation – leading the firm into territories requiring integrated security into innovation.
Must understand the finance and economics do matter. Must understand and exploit the corporate or business culture to obtain
funding to secure the enterprise.
Author: Mark Gelhardt, [email protected] 19 5/1/2013
The CISO job is to get the company to understand the risks and threats to the Business and to it’s Information Assets/Data.
The CISO must play the role of the “Chief Evangelist” and engage the business in the security process.
The CISO must stay focused on creating a security minded culture where all employees take ownership for the security of their information assets.
Most importantly - The CISO must change with the threats, with the business environment, with the economy.
Are you ready for CHANGE?
5/1/2013 Author: Mark Gelhardt,
Over 35 years of experience in providing Executive Level management, IT Operations, and Information Security.
During his 22 years in the military Mark had the honor of working in the White House Communications Agency as the CIO/CISO for President Clinton, the VP, the White House Staff, and the U.S. Secret Service, providing all the classified automation and telecommunications services.
Since retiring from the Army and joining the civilian sector Mark has had the opportunity of working as:
Senior IT, Security, & Facilities Executive (CIO/CSO) of World Airways – the largest US wide body long-hall charter airline.
Senior IT Executive Global IT Operations & Security (Deputy CIO/CISO) of InterCall - the world’s largest conferencing company.
President/Chief Consultant of Gelhardt IT Consulting – providing Executive Consulting services in Project Management, Data Center Operations, IT Operations, IT Executive Education and Support, and Executive Information Security support.
Mark’s current position is as the Senior Information Security Officer (CISO) for TravelClick - a Software as a Service (SaaS) company supporting the hospitality industry working with over 30,000 hotels worldwide.
5/1/2013 Author: Mark Gelhardt,