Security Profiles of the CISO. Vanessa Pegueros DocuSign Enterprise Security & Risk

Transcription

1 Security Profiles of the CISO Vanessa Pegueros DocuSign Enterprise Security & Risk 1

2 CISO Step Child C-level Ok put ego aside for a moment. Is it really an effective title? What other C-level has such a questionable level of authority? No common definition of role across companies Span of control is variable Control of budget is indirect Does the title help us accomplish our mission? 2

3 With Title Comes Authority It Depends Traditional C level titles CIO CTO COO CFO Non C title but accountable to CEO HR Marketing Sales Legal Newer C Titles CPO CMO CRO CISO Real authority and legitimacy comes from a direct tie to Revenue or Controlling Cost 3

4 Our function sits on uneven ground CISO primarily deals with a unquantifiable topic: Risk Difficult to prove value of something unquantifiable Risk will never be quantified in a universal way because it is personal Everyone feels differently about risk The feelings are unique to each individual Our effectiveness is totally dependent on the culture and company 4

5 Different Companies Want Different Things Small company The all in one CISO - I want a CISO who can talk to the Board and program our Firewall High growth company where security matters The agile CISO I want someone to go sell security, we just assume you ll take care of rest High growth company where security doesn t matter- The necessary but evil CISO, Just get us PCI compliance and we don t want to see you anymore The large slow growth regulated company- The auditor front person, Just get us through the audit The company in decline or recently breached- The expendable CISO, we just need someone to fire when it goes bad 5

6 CISO Needed Skills Over Time Skill Defining Factors CISO Skills Needed Technical Distributed Computing SOX Enforcer Compliance PCI Sales Public Relations Customer awareness relative to security grows TJ Max iphone Heartland Business Enablement Law Enforcement Stuxnet Advanced Hacking 1990s Risk Management DDoS against FIs 2012 Future 6

7 CISO Profiles The Tech CISO The Compliance CISO The Conference Circuit CISO The Sales CISO The Law Enforcement/FBI/Secret Service CISO 7

8 The Tech CISO Was an engineer still likes to get his/her hands dirty with tech details Wins the battles with technical acumen Stays out of the public eye Can t quite understand why the business support the very important security initiatives Feels as though most in the company just don t get it 8

9 The Compliance CISO Follow the rules You are breaking the policy That s not in the policy, I have not idea what to do Wins battles based on process and threat of non-compliance 9

10 The Conference Circuit CISO Make as many speeches as possible Gets on as many advisor boards as possible Great speaker and presenter, nice suits and haircut always sounds very impressive Doesn t really engage in battles Self promotion is a very important factor 10

11 The Sales CISO Spends most of time with customers May or may not understand security Talks at customer conferences Obsessed with closing the deal Wins battles based on saying, the customer wants it 11

12 The Law Enforcement/FBI/Secret Service CISO Former Law Enforcement/FBI/Secret Service Has a double life filled with intrigue and mystery Is exciting to the C level Creates instant cred with customers Not as technical as people assume Win battles out of fear the opponent may disappear 12

13 A New Model The CISO is not a title, it is a function and requires multiple people The functions are equally relevant to accomplishing the larger goals Currently no good org model to accommodate this challenge and the title does not help Must figure out how to contribute to revenue 13

14 The DocuSign Security Leadership Structure Tom Pageler (Sales/Law Enforcement) CISO Spends 90% of his time with customers Front person in communication with the Board Me (Tech/Compliance) Enterprise Security and Risk Manages the team Set priorities Determines Security Strategy Manages Security Risk within the Company Conference Circuit both or send a team member 14

15 Recommendations Understand who you are and what you are good at Be brutally honest Categorize your company, growth level, importance of security Understand what your company wants from you, if not a match, move on Always have plan B ready, you could be fired at any moment whether at fault or not 15