rsa 2017 - ciso's 5 steps to success
TRANSCRIPT
![Page 1: RSA 2017 - CISO's 5 steps to Success](https://reader038.vdocuments.us/reader038/viewer/2022110217/58b8a6f71a28abc06d8b60bd/html5/thumbnails/1.jpg)
How CISO’s assess their Security Program for Success
RSA Conference 2017
![Page 2: RSA 2017 - CISO's 5 steps to Success](https://reader038.vdocuments.us/reader038/viewer/2022110217/58b8a6f71a28abc06d8b60bd/html5/thumbnails/2.jpg)
It’s about Visibility people!
As a CISO, when assessing a security program you tend to have more questions than answers
Visibility
![Page 3: RSA 2017 - CISO's 5 steps to Success](https://reader038.vdocuments.us/reader038/viewer/2022110217/58b8a6f71a28abc06d8b60bd/html5/thumbnails/3.jpg)
Cyber as a Business Enabler
“Cyber as a Business Enabler”5 steps I have used for a successful security program
![Page 4: RSA 2017 - CISO's 5 steps to Success](https://reader038.vdocuments.us/reader038/viewer/2022110217/58b8a6f71a28abc06d8b60bd/html5/thumbnails/4.jpg)
Step #1 – “Meet & Greet”
Meet & Greet – it’s about relationships
![Page 5: RSA 2017 - CISO's 5 steps to Success](https://reader038.vdocuments.us/reader038/viewer/2022110217/58b8a6f71a28abc06d8b60bd/html5/thumbnails/5.jpg)
Building the relationships for Success
Step #1 – “The Meet & Greet”• “Security doesn’t work in a
Vacuum, however it works well in a Community” • Grow your “Human Network”
• Meet your Team• Meet Your Stakeholders• Identify Influencers• Meet Key Executive Leadership
• Know the responsibility & authority of your position• Sometimes its more than what
you realize
![Page 6: RSA 2017 - CISO's 5 steps to Success](https://reader038.vdocuments.us/reader038/viewer/2022110217/58b8a6f71a28abc06d8b60bd/html5/thumbnails/6.jpg)
Step #2 - Inventory
Inventory – You can’t protect it if you don’t know it exists
![Page 7: RSA 2017 - CISO's 5 steps to Success](https://reader038.vdocuments.us/reader038/viewer/2022110217/58b8a6f71a28abc06d8b60bd/html5/thumbnails/7.jpg)
Understanding what is in your enterprise
Step #2 – “Inventory”• “To protect your organization, know
your enterprise environment”• People (Team Members, Contractors, Peers)• Reports (Contracts, Metrics, Prior Audits,
Inspections)• Architecture (Network, Location,
Hardware, Application, Cloud)• Budgets (Security Program, Department,
Organization)• Processes & Policies
• (Security Strategy, Policies, Workflows, Laws, Regulations, Compliance)
• Review your Predecessor’s documents, emails, notes.• Now review their notes on your team
members
![Page 8: RSA 2017 - CISO's 5 steps to Success](https://reader038.vdocuments.us/reader038/viewer/2022110217/58b8a6f71a28abc06d8b60bd/html5/thumbnails/8.jpg)
Step #3 - Assessment
Assessment – Just how mature is my program, what issues will I need to address?
![Page 9: RSA 2017 - CISO's 5 steps to Success](https://reader038.vdocuments.us/reader038/viewer/2022110217/58b8a6f71a28abc06d8b60bd/html5/thumbnails/9.jpg)
Time to measure your controls with a framework
Step #3 – “Assessment”• “Continuous Assessment,
establish and verify your baseline”• Health of your Security Suite• Review recent audits, policies,
projects• Current audit findings,
recommendations?• Measure Your Security
• Are you meeting your security metrics?
• Are you meeting performance metrics?
• Are you meeting 3rd Party Assessment Frameworks?
• Are you meeting Compliance Requirements?
![Page 10: RSA 2017 - CISO's 5 steps to Success](https://reader038.vdocuments.us/reader038/viewer/2022110217/58b8a6f71a28abc06d8b60bd/html5/thumbnails/10.jpg)
Step #4 - Planning
Planning – Now that we know our security gaps, what’s the plan to remediate them?
![Page 11: RSA 2017 - CISO's 5 steps to Success](https://reader038.vdocuments.us/reader038/viewer/2022110217/58b8a6f71a28abc06d8b60bd/html5/thumbnails/11.jpg)
Putting your vision into a plan
Step #4 – “Planning”• “Your Security Program & Team are
key to your Organization”• Draft your “Vision” of the Security
Program• Challenges to the current program
• Build your Strategic Security Project Plan
• Use your Project Plan to build your Security Budget
• Start Immediately (Momentum is key)• Will Correcting Issues = Clear Business
Benefits?• Reduce Risk Exposure?• Will Fixing the Issues = Credibility for
your Team?
![Page 12: RSA 2017 - CISO's 5 steps to Success](https://reader038.vdocuments.us/reader038/viewer/2022110217/58b8a6f71a28abc06d8b60bd/html5/thumbnails/12.jpg)
Step #5 - Communicate
Communicate – Time to make the case for our plans to remediate our issues and mature the
program.
![Page 13: RSA 2017 - CISO's 5 steps to Success](https://reader038.vdocuments.us/reader038/viewer/2022110217/58b8a6f71a28abc06d8b60bd/html5/thumbnails/13.jpg)
Making the case for change and the funds you require!
Step #5– “Communicate”
• Socialize your Security Vision• Vision = “Where we want to be”• Assessment = “Where we currently
are”• Gap Analysis = (Vision – Assessment)• Gap Analysis = Strategic Security
Project Plan = Security Budget
• Socialize the Security Gap• Correcting findings brings value to the
business
• “Visibility = Executive Sponsorship = Budget”
![Page 14: RSA 2017 - CISO's 5 steps to Success](https://reader038.vdocuments.us/reader038/viewer/2022110217/58b8a6f71a28abc06d8b60bd/html5/thumbnails/14.jpg)
Some takeaways to assist you
Some points to remember• You will be collecting and
reviewing an enormous amount of data• This will take time, normally
between 3-6 months• Leverage your “Human Network”
• Use your team, your peers, vendors and stakeholders
• Don’t be afraid to ask for help• Collaborate
• Share your information• Visibility is crucial for your Team and
Security Program
![Page 15: RSA 2017 - CISO's 5 steps to Success](https://reader038.vdocuments.us/reader038/viewer/2022110217/58b8a6f71a28abc06d8b60bd/html5/thumbnails/15.jpg)
At the end of this path
Conclusion• At the end of this 3-6 month journey, you will have:
• A “Human Network” to help you drive Cyber in your organization
• An updated Inventory of your Organizations Enterprise IT assets
• You will know the maturity of your Security Program and your assessment baseline
• You will have created your Strategic Security Project Plan
• This plan will help you create your Security Program budget
• Better understanding of how “Cyber = Business Value”
• Some Questions for you:• So did you miss anything?• When You get home, what are you going to verify?
![Page 16: RSA 2017 - CISO's 5 steps to Success](https://reader038.vdocuments.us/reader038/viewer/2022110217/58b8a6f71a28abc06d8b60bd/html5/thumbnails/16.jpg)
The Full Picture
![Page 17: RSA 2017 - CISO's 5 steps to Success](https://reader038.vdocuments.us/reader038/viewer/2022110217/58b8a6f71a28abc06d8b60bd/html5/thumbnails/17.jpg)
RSA 2017 – Path to Success
Questions, Rants, Discussions?
Gary HayslipDeputy DirectorChief Information Security Officer@ghaysliphttps://www.linkedin.com/in/ghayslip
https://app.box.com/v/Five-Step-CISO-Mindmaps