No More Security Empires The CISO as an Individual Contributor

Transcription

1 SESSION ID: STR-R02 No More Security Empires The CISO as an Individual Contributor Jim Maloney CISO AvidXchange,

2

3 What if your security program had no staff, except you no budget, except your salary an ad-hoc collection of controls? You are here

4 You adapt (quickly) from this mindset You adapt (quickly) from this mindset build a security empire a security empire

5 to this mindset an army of one (or a few)

6 A journey of discovery >60,000 Employees <1000 Then Time Now 6

7 What I discovered - security empires, all Company A Corporate Core Team X Corporate Business Partner B X X Business Unit Core Team Business Unit Business Partner C X X D X X E X 7

8 A more important discovery The business doesn t understand security this isn t working Security doesn t understand the business Finger pointing Us vs. them Ivory tower And more 8

9 No people and no budget? My plan Understand requirements, industry practices Assess risk and controls, identify gaps Build a roadmap Look for synergies Find people, budget and champions Execute

10 Requirements and industry practices Risk COSO ISO NIST SP Security CIS CSC NIST CSF NIST SP ISO ISO PCI DSS HIPAA Privacy GAPP HIPAA GLBA 10

11 Risks and gaps CIS CSC and threat assessment as a quick diagnostic CSF, ISO, NIST as framework and more detailed assessment PCI DSS and HIPAA assessments as supplemental GAPP for baseline privacy assessment Red missing, yellow partial, green in place Tag reds and yellows with potential owners 11

12 Build a roadmap Three-year roadmap Based on identified gaps Risk-based prioritization But some quick wins, too So called black swans are the most difficult (low probability, high impact) Gnats are the most annoying (high probability, low impact) 12

13 Look for synergies - examples IT needs to manage logs IT needs to respond to incidents HR has a training platform and initiatives Legal wants standard contract terms Software development wants to improve quality Product wants desirable features for customers Marketing wants to enhance brand 13

14 Finding people Where are the synergies? Who should own and operate the controls? Who cares about security? Who understands security? 14

15 Finding people my team 4 FTE in IT (infrastructure security) 1 FTE in IT (end-user support) 1 FTE in DevOps (production support) 2 FTE in Software Engineering (secure coding) 1 FTE in Facilities (physical security) 1 FTE across HR, Legal, Risk & Compliance (contracts, training, etc.) 15

16 Finding budget Pain points from customers or partners? Hot buttons from Board members? Any budget already allocated to security controls? Any unused budget? Compliance obligations? Black swans and gnats? 16

17 and a few champions At all levels, across multiple orgs Who really gets security? Both active and passive can help 17

18 Execute Establish a clear and compelling vision, mission and objectives Leadership by influence Make others successful Do favors and collect favors Build a personal brand and a security brand Quick wins Demonstrate value 18

19 Some execution examples Item CISO Others Disaster recovery plan Outline, review Plan, testing (IT) Business continuity Policy, risk assessments Plans, testing (BU) Application security Training, tool selection Tool implementation, process (SE) Incident response Vulnerability management Security and privacy supplement Requirements, SLA, references (NIST) Crisis communications plan, IR plan, IR team (IT) Vulnerability management and patching program (IT) Vendor management Security terms, model Standard agreements, policy (Legal) Security awareness Requirements, advice Content in LMS (HR) 19

20 Results so far - plusses and minuses Plus Engagement Ownership Speed Scope Brand Minus Not always able to find synergy Some battles of priority Tracking security investment and effort Convincing partners and auditors Being invited to the right meetings Disappearing budgets 20

21 Apply a green field approach Similar to my plan but every company and program is unique Understand requirements, adopt industry practices Assess risk and controls, identify gaps Build a roadmap Look for synergies Find people, budget and champions Execute

22 Apply retrofit or rebuild What can you give away that could be done by another team? What really needs to be centralized vs. what can be done as well or better by other teams? Outsourcing? The what, why and how recipe

23 Critical success factors Get total buy-in from your manager Create or leverage security culture Don t report to CIO / head of IT Execute and deliver Focus on the what and why, with just a little how Do non-security work (trading favors) Plan B Selectively pull functions and people to the center if needed 23

24 Your journey will be different This shouldn t be your first CISO journey Jury is out regarding scalability Be willing to fail fast, learn and adapt

25 Questions? LinkedIn: Thanks! Think different small can be cool. :-) 25

26 More stuff to help you succeed Appendix Tools and Techniques

27 Requirements and industry practices CIS CSC - NIST CSF - GAPP - PCI DSS - HIPAA - GLBA - Other NIST guidance 27

28 Simple threat model This is three entries (of 12) from a simple enterprise threat model that was used to help set implementation priorities for closing identified gaps Likelihood and impact have scores generated by the selected rating and then combined to calculate an overall risk rating for each threat The rating scales and calculations are similar to NIST SP

29 Assessment tool example This is the format used for both the CSC and CSF assessments Can use a 0-5 maturity scale or simply red (missing), yellow (partial), green (in place) 29

30 Roadmap example This is the format used to capture and track security tasks for a three-year window Each task is assigned a general category (e.g., Access Management) Tasks have identified sources, assigned priorities, target completion dates, and owners 30

31 Influence references Some good books on influence and power Influence: The Psychology of Persuasion, Revised Edition by Robert B. Cialdini Influencer: The New Science of Leading Change, Second Edition by Joseph Grenny and Kerry Patterson Influencing Up by Allan R. Cohen and David L. Bradford Power: Why Some People Have It and Others Don't by Jeffrey Pfeffer 31