Ten Tenets of CISO Success

Size: px

Start display at page:

Download "Ten Tenets of CISO Success"

Blanche Harmon
6 years ago
Views:

1 SESSION ID: STR-W04 Ten Tenets of ISO Success Frank Kim Founder

2 #1 atch the ulture

3 Organizational ulture ulture eats strategy for breakfast. - Peter Drucker 3

4 #2 Relate to Risk

Wireless Network Mobile Devices Global Network Big Data loud omputing Internet of Things Technology $1

5 Business Risk Sophistication Insider Threats Basic Threats Threats Partners Year of the Breach Edward Snowden Nation States Stuxnet Advanced Persistent Threats Organized rime Activists First Mobile App Mobile Payments Wireless Network Mobile Devices Global Network Big Data loud omputing Internet of Things Technology $1 Trillion ost of yber crime - World Economic Forum First Website Graphic credit: Omar Khawaja

6 #3 reate redibility

7 reating redibility A big part of being believable and building our trust is showing us how we compare to competitors, other industries, some kind of standards or benchmarks. - Board Member 7

8 #4 Shape the Strategy

9 Identifying a Security Framework Security frameworks provide a blueprint for Building security programs Managing risk ommunicating about security Many frameworks share common security concepts ommon program frameworks include: ISO Series ISMS requirements ode of practice Implementation guidance Measurement OBIT ENISA Evaluation Framework FFIE ybersecurity Assessment Tool NIST ybersecurity Framework 9

10 NIST ybersecurity Framework Identify Protect Detect Respond Recover omposed of three parts ore, Implementation Tiers, Profiles Defines a common language for managing security risk ore has five Functions that provide a high-level, strategic view of the security life cycle Helps organizations ask: What are we doing today? How are we doing? Where do we want to go? When do we want to get there? 10

11 Maturity omparison Example Identify Protect Detect Respond urrent state Target state Recover Lagging Industry Leadin g 11

12 #5 Deliver the Deal

13 Mapping to Strategic Objectives Financial/Stewards hip Lower costs Increased profitability Increased revenue ustomer/stakehol der Improved compliance & regulatory Lower wait times Improved satisfaction Internal Business Process Improved availability & resiliency Increase process efficiency Lower cycle times Business innovation/new product support Organizational apacity or Security apability Improved knowledge & skills Improved tools & technology

14 Provide Options Highlight trade-offs with business value, risk reduction, cost Option A Option B Option Business value Risk reduction ost $ $$ $$$ 14

15 #6 Invest in Individuals

16 Putting Leadership Into Perspective Boss Manager Leader Drives people Manages things oach, mentor, and grow people Thinks short-term Thinks mid-term Thinks long-term Focused on self Focused on process Focused on people Instills fear Earns respect Generates enthusiasm Says I Says Our Says We Micromanages Delegates Motivates Places blame on roadblocks Navigates roadblocks Removes roadblocks Dictates how it s done Shows how it s done Influences how it s done Takes credit Shares credit Gives credit ommands Asks Influences Says Go Says Let s go Says Way to go

17 areer Management P.I.E. Everyone should have a piece of the P.I.E. Performance Perform exceptionally well Image ultivate the proper image Exposure Manage their exposure so the right people will know them 17

18 #7 Make Metrics Matter

Metrics Hiearchary Focus & actions increase as you move up

down the pyramid Strategic Focus Strategic Objectives Type

Analysis & Trends Type Metrics Implementation Security

19 Metrics Hiearchary Focus & actions increase as you move up the pyramid Volume of information increases as you move down the pyramid Strategic Focus Strategic Objectives Type KPIs Implementation Balanced Scorecard Operational Focus Analysis & Trends Type Metrics Implementation Security Dashboard Technical Focus Data Type Measures Implementation harts & Graphs

Balanced Scorecard Example Financial/Stewardship ustomer / Stakeholder Internal Business Process Q4 % Product Development Budget Allocated to Security Target 5% Trend Increased support for legal as

Security staffed temporary PMO team to meet goal Q4 % of Developers Training in Secure oding Principles Target 95% Trend 5% 95% 97% 100% of flagship application developers completed training reducing

20 Balanced Scorecard Example Financial/Stewardship ustomer / Stakeholder Internal Business Process Q4 % Product Development Budget Allocated to Security Target 5% Trend Increased support for legal as they piloted their case management system Q4 % of Products Delivered On Time and On Budget Target 95% Trend 18% increase over Q3 in on-time and on budget delivery. Security staffed temporary PMO team to meet goal Q4 % of Developers Training in Secure oding Principles Target 95% Trend 5% 95% 97% 100% of flagship application developers completed training reducing overall risk to organization Q4 & YTD Security Budget Allocation ustomer Satisfaction Q4 % of Developers Attaining ertification Target 90% Trend 8% increase over Q3 in customer satisfaction rating of 4 or higher out of 5 possible Target 95% Trend 85% 42% Mitigation plan: Follow-up with developers after training is complete for certification 20

21 Security apability Example Security apability Status Trend Highlights Identify: Manage risk to systems, assets, data, and capabilities Yellow 32% increase in unauthorized devices 29% IT 3 % HR 27% increase in unauthorized software Attributed to Q4 BYOD pilot Protect: Ensure delivery of critical infrastructure services Green Detect: Identify occurrence of a cybersecurity event Green Respond: Take action regarding a detected cybersecurity event Recover: Maintain plans for resilience and to restore any capabilities or services that were impaired due to cybersecurity event Green Red 12% of users failed sponsored phishing tests 15% of employees have not passed security awareness assessments 27% decrease in elevated access accounts 275 total elevated access accounts 5% of database systems with sensitive information have not been scanned by vulnerability scanners 34% of systems not enabled with up to date antimalware Attributed to Q4 BYOD pilot 21

22 #8 Master Your Message

23 Effective ommunications Security people don t speak our language. In fact, at each briefing they seem to speak a different language. - Board Member 23

24 24

25 #9 hampion hange

between development and operations SecDevOps Break down

26 Breaking Down the Walls Agile Break down walls between development and the business DevOps Break down walls between development and operations SecDevOps Break down walls between security and development, operations, business 26

27 Improve Effectiveness 27

28 #10 Solve Business Problems

Evolution of Security Leadership Old School New School

Regulatory, ompliance, Legal, Privacy Business Savvy

29 Evolution of Security Leadership Old School New School IT Security IT Security Technology Focus Risk Management Regulatory, ompliance, Legal, Privacy Business Savvy Business Focus Graphic credit:

31 Ten Tenets of ISO Success #1 reate redibility #6 Invest in Individuals #2 atch the ulture #7 Make Metrics Matter #3 Relate to Risk #8 Master Your Message #4 Shape the Strategy #9 hampion hange #5 Deliver the Deal #10 Solve Business Problems 31

32 Frank Material based on SANS MGT514 Security Strategic Planning, Policy, and Leadership

CISO as Change Agent: Getting to Yes

SESSION ID: CXO-W02F CISO as Change Agent: Getting to Yes Frank Kim Chief Information Security Officer SANS Institute @fykim Outline Catch the Culture Shape the Strategy Build the Business Case 2 #1 Catch