The Fine Art of Creating A Transformational Cyber Security Strategy

Similar documents
DELIVERING SIMPLIFIED CYBER SECURITY JOURNEYS

THE POWER OF TECH-SAVVY BOARDS:

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

The University of Queensland

2018 MANAGED SECURITY SERVICE PROVIDER (MSSP): BENCHMARK SURVEY Insights That Inform Decision-Making for Retail Industry Outsourcing

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

Turning Risk into Advantage

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

PA TechCon. Cyber Wargaming: You ve been breached: Now what? April 26, 2016

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

Cybersecurity. Securely enabling transformation and change

Symantec Data Center Transformation

Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification

How To Build or Buy An Integrated Security Stack

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Buyer s Guide. What you need to know before selecting a cyber risk analytics solution

ACTIONABLE SECURITY AWARENESS: CONVERT THE WEAKEST LINK INTO THE SAFETY FORCE

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

MITIGATE CYBER ATTACK RISK

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

The State of Cybersecurity and Digital Trust 2016

OTA Strategic Update Building & Amplifying April 5, 2017

The new cybersecurity operating model

UAE National Space Policy Agenda Item 11; LSC April By: Space Policy and Regulations Directory

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

STRATEGIC PLAN

Securing Your Digital Transformation

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Building YOUR Privacy Program: One Size Does Not Fit All. IBM Security Services

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

Building a Resilient Security Posture for Effective Breach Prevention

Accelerate Your Enterprise Private Cloud Initiative

Top Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program

Cybersafety Culture Assessment

Initiative. Copyright Techdemocracy, 2017

CISO as Change Agent: Getting to Yes

Risk Advisory Academy Training Brochure

Strategic Plan Report

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

RED HAT ENTERPRISE LINUX. STANDARDIZE & SAVE.

Better together. KPMG LLP s GRC Advisory Services for IBM OpenPages implementations. kpmg.com

Transformation in Technology Barbara Duck Chief Information Officer. Investor Day 2018

Implementing ITIL v3 Service Lifecycle

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

IMPROVING NETWORK SECURITY

Pave the way: Build a value driven SAP GRC roadmap March 2015

Security and Privacy Governance Program Guidelines

Cyber Security Strategy

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

LEADERSHIP GROUP LG (2017) Paper October 2017 RESILIENCE BOARD

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

The Business Value of including Cybersecurity and Vendor Risk in ERM

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

SOC for cybersecurity

Reinvent Your 2013 Security Management Strategy

Transport and ICT Global Practice Smart Connections for All Sandra Sargent, Senior Operations Officer, Transport & ICT GP, The World Bank

Operationalizing the Three Principles of Advanced Threat Detection

SESSION 206 Wednesday, November 2, 11:30am - 12:30pm Track: People, Culture and Value

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Commonwealth Cyber Declaration

Martijn Loderus. Merritt Maxim. Principal Analyst Forrester. Director & Global Practice Partner for Advisory Consulting Janrain

UAE Space Policy Efforts Towards Long Term Sustainability of Space Activities Agenda Item 4; COPUOS June 2017 By: Space Policy and

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

2015 VORMETRIC INSIDER THREAT REPORT

State of Security Operations

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Cyber Risk A Corporate Directors' Briefing Webcast Q&A Summary

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

CYBERSECURITY RESILIENCE

Position Description IT Auditor

Commission for Environmental Cooperation (CEC) Sponsored Workshop on Environmental Assistance Programs and Resources for Automotive OEMs and Suppliers

National Open Source Strategy

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Cyber Threat Prioritization

Kaspersky Security Awareness

Modern Database Architectures Demand Modern Data Security Measures

Demystifying GRC. Abstract

CYBER RESILIENCE & INCIDENT RESPONSE

SOLUTION BRIEF Virtual CISO

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

Bringing Cybersecurity to the Boardroom Bret Arsenault

Cylance Axiom Alliances Program

MNsure Privacy Program Strategic Plan FY

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

Transforming Your Web Presence

Avanade s Approach to Client Data Protection

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

align security instill confidence

TSC Business Continuity & Disaster Recovery Session

Dell helps you simplify IT

Rethinking Information Security Risk Management CRM002

Data Management and Security in the GDPR Era

Big data privacy in Australia

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

CYBERSECURITY MATURITY ASSESSMENT

Planning and Implementing ITIL in ICT Organisations

Transcription:

SESSION ID: CXO-R11 The Fine Art of Creating A Transformational Cyber Security Strategy Jinan Budge Principal Security & Risk Analyst Forrester Research Andrew Rose Chief Security Officer Vocalink, A Mastercard Company

Source: delete on www.milanostyle.com master slide 2

Source: delete on www.unsplash.com master slide 3

Source: delete on www.unsplash.com master slide 4

Without A Strategy, You Are Left Rudderless 5

An Intensifying Storm Technology Speed Of Business Threat Age Of The Customer 6

A Good Security Strategy Transforms.. FROM TO An IT issue An issue of customer trust No, you can t Yes, and Technically focused Holistic Lock & keys Freedom 7

And A Bad Strategy.. Suffer A Great Breach & Miss Smaller Ones Continue To Invest In The Wrong Things Spend Their Time Responding Tactically Struggle To Attract And Retain 8

Creating and implementing business aligned security strategies and road maps has been in the Forrester CISO Top 5 Priorities every year since 2011 9

Department of no and altruism Dragged into minutiae Forget to prioritize Know the what but not the how Someone else s problem Can t spare the time 10

What Makes Or Breaks A Strategy Understandable Known Utilized and sustainable Business focused and risk-aligned People and culture at the heart Platitude Doesn t consider people Shelfware One dimensional Inflexible 11

Three Paths To Strategy 12

Decide On The Strategy Path You Want To Take 13

Each Path Has Pros And Cons 14

Choose Your Strategy Path Wisely Depending On 15

Strategy Fundamentals: Part 1 - Socialize Socialize your strategy to gain visibility, budget and influence 16

Gather Data From Key Stakeholders 17

Perspectives From The Boardroom Cyber risk is a top business priority. Awareness and understanding of security: not perfect but improving. Translators required. Boards want to hear from and have a trusted dialogue with the CISO. Boards need transparency and risk. Normalizing the security conversation. 18

Security 101 Do You Have Support? Do you really have senior management support? Ask yourself: Have they committed to funding the program, or are they on the journey to offer funding? Do they understand that cybersecurity is a business risk? Is cybersecurity risk on the corporate risk register? Am I empowered by executive sponsors, and do I have direct access to them? Does my governance board represent my whole business, and at a level senior enough to make decisions? 19

Strategy Fundamentals: Part 2 Strategize In taking the time to strategize, you consider What is important? Why does your role matter? What s the point of it all? Strategize alone, with your team or in consultation with stakeholders Brainstorm on a whiteboard or piece of paper Ask yourself some hard questions 20

Mission Statement 21

Mission Example 1 CLEAR STATEMENTS OF AMBITION AND PURPOSE 1. Direct and assure Have a cyber security capability which protects the continued provision of 24/7 financial transaction services 2. Drive scalable security architecture Enable the rapid and safe realization of future business objectives 2. Leverage recent company acquisition Drive improvements in control and oversight 22

Mission Example 2 AN APPROACH TO LEADERSHIP FOR THE SECURITY FUNCTION 1. Commercially focused on how to help the business execute its vision Focus on how to make the business execute its strategy securely Good team player in the organizational ecosystem 2. Trusted partner for the business in strategic growth opportunities Collaborate with the business by providing security expertise that aids but does not hinder them 3. No net new security technology investment without clear business benefit Depart from old habit of technology acquisition without adequate business case. With clear value for the business and its strategy 23

Mission Example 3 MINISTER S FOREWORD (NSW GOVERNMENT CYBER SECURITY STRATEGY) Developing strong cyber capabilities that scale with our ambitious digital agenda, will be key to our success. By investing in cyber security today, we are enabling the NSW Government to accelerate digital transformation while providing confidence to citizens who trust us with their data and services. 24

Strategy Fundamentals: Part 3 Prioritize Decide what s important Focus your program Justify decisions 25

Prioritization Takes Effort And It Depends On Your Path 26

How Much Does It All Matter? IMPACT Financial Reputational ASSETS What are we trying to protect? THREAT Who would target us and why? CAN WE ACCEPT THE RISK? HOW MUCH ARE WE PREPARED TO SPEND TO MITIGATE IT? Financial performance Competitive advantage Reputation Market presence 27

Security Performance Snapshot USE RECOGNISED STANDARDS TO SELF ASSESS YOUR SECURITY AND HELP DEFINE GOALS Overall maturity Stage 1: Ad hoc Stage 2: Repeatable Stage 3: Defined Stage 4: Measured Stage 5: Optimized Overall maturity Overall maturity Oversight Overall maturity 2.24 Oversight 2.13 Technology 2.54 Process 1.93 People 2.35 Technology Process People 0.00 1.00 2.00 3.00 4.00 5.00 *Stages are defined as follows: Stage 1 = 0.01-1.00, stage 2 = 1.01-2.00, stage 3 = 2.01-3.00, stage 4 = 3.01-4.00, stage 5 = 4.01-5.00. 28 Source: Forrester Report, Assess Your Security Program With Forrester s Information Security Maturity Model.

Security Performance Snapshot USE RECOGNISED STANDARDS TO SELF ASSESS YOUR SECURITY AND HELP DEFINE GOALS 29

Strategy Fundamentals: Part 4 Write Typically where people start, or stop No silver bullet It drives all actions, accountabilities and decisions The document is a means not the end 30

Document Your Strategy 31

Strategy Fundamentals: Part 5 Summarize Remember your audience and your focus 32

Your Audience Will Vary Your security governance board, and an interested VP, or SVP. Sometimes it includes your board and execs. Top level Executive Management, The Board, Partners and Customers Your audience is you, your team and your boss 33

Create A Focus Sheet for Executives - Example SHOW HOW SECURITY SUPPORTS BUSINESS OBJECTIVES Security mission security will neither hinder nor halt our business. Our current issues: We will address this by: Enabling the following business benefits: Low maturity security function as assessed during recent internal audit Reactive to incidents rather than proactive Inhibits business growth and not seen as a trusted business partner Embryonic capabilities in most areas Transforming security function to become a trusted business partner Addressing risks highlighted by audit Delivering a forwardthinking security function that drives new technology adoption Refreshing perimeter controls and enhancing monitoring capability Overview of the security culture program Overview of the security program 34 30% decrease in customer complaints related to security 20% reduction in security waivers Partnership scores of 8/10 on business projects that we support Decrease in incidents based on 2015 to 2018 average

Create Your Own Focus Sheet Your Vision of Cybersecurity [Statement] State of Cybersecurity [Year] Top security business risks describing the initial state Risk [Current State/Metric] Risk [Current State/Metric] Risk [Current State/Metric] Risk [Current State/Metric] Risk [Current State/Metric] Key cybersecurity initiatives/projects 1. Security initiative/project 1 2. Security initiative/project 2 3. Security initiative/project 3 4. Security initiative/project 4 5. Security initiative/project 5 Key cybersecurity assumptions and requirements 1. [Assumption/requirement] 2. [Assumption/requirement] 3. [Assumption/requirement] 4. [Assumption/requirement] 5. [Assumption/requirement] State of Cybersecurity In [Year] Top risks describing the end state Risk [Target State/Metric] Risk [Target State/Metric] Risk [Target State/Metric] Risk [Target State/Metric] Risk [Target State/Metric] 35

Strategy Fundamentals: Part 6 Succeed Follow key principles for a successful transformation 36

Principles of A Successful Transformation Craft the right policies, have basic security controls in place, and exercise incident response. Build an A- team Build a diverse, creative, pragmatic team with a growth mindset Start with a reliable foundation Position security as a business risk Articulate the business impact of cybersecurity risks and ensure the business understands its role in risk management. Improve governance Lift what is already existing, and include whole of business Change the culture Foster a significant change in the organizations security awareness and behavior. 37 Focus holistically on your business Extend your effort beyond technical solutions to assure support for business priorities.

How Will You Create Your Strategy? 38

Apply What You Have Learned Today Next week you should: Decide what your strategy path is Identify influential key stakeholders, and how they can be part of your strategy and transformation In the first three months following this presentation you should: Define your mission statement, co-creating if appropriate Be clear on your security program priorities Within six months you should: Build a right-sized, risk-based, business aligned cybersecurity strategy document Socialize your strategy with your key stakeholders 39

Q&A Jinan Budge, Principal Security and Risk Analyst, Forrester Andrew Rose, Chief Security Officer, Vocalink, A Mastercard Company

References Source: North American Consumer Technographics Consumer Technology Survey Q2, 2014 and Consumer Technographics North American Online Benchmark Survey (Part 2), 2017 See Forrester Report, Use Forrester s CISO strategic Canvas To Align Security With Business, November 2018 See Forrester Report, How To Talk To Your Board About Cybersecurity, December 2018 See Forrester Report, Instill A Security Culture By Elevating Communication, October 2018 See Forrester Report, Transform Your Cybersecurity Capability, August 2018 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback