CISO as Change Agent: Getting to Yes

Similar documents
Ten Tenets of CISO Success

Ten Tenets of Security Success

CISO Success Strategies: On Becoming a Security Business Leader

Automating the Top 20 CIS Critical Security Controls

Designing and Building a Cybersecurity Program

Rethinking Information Security Risk Management CRM002

Les joies et les peines de la transformation numérique

Cybersecurity, safety and resilience - Airline perspective

ISE North America Leadership Summit and Awards

K12 Cybersecurity Roadmap

Cyber Protections: First Step, Risk Assessment

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

NCSF Foundation Certification

Department of Management Services REQUEST FOR INFORMATION

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

MITIGATE CYBER ATTACK RISK

Cybersecurity Today Avoid Becoming a News Headline

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

10 FOCUS AREAS FOR BREACH PREVENTION

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Emerging Issues: Cybersecurity. Directors College 2015

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Nebraska CERT Conference

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Critical Hygiene for Preventing Major Breaches

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Cybersecurity The Evolving Landscape

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

How to Develop Key Performance Indicators for Security

Why you should adopt the NIST Cybersecurity Framework

Securing Your Digital Transformation

Building a Resilient Security Posture for Effective Breach Prevention

How Breaches Really Happen

FDIC InTREx What Documentation Are You Expected to Have?

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

TIPS FOR AUDITING CYBERSECURITY

State Governments at Risk: State CIOs and Cybersecurity. CSG Cybersecurity and Privacy Policy Academy November 2, 2017

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

What It Takes to be a CISO in 2017

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

INTELLIGENCE DRIVEN GRC FOR SECURITY

CISM Certified Information Security Manager

Cybersecurity and the Board of Directors

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Operationalizing the Three Principles of Advanced Threat Detection

How To Build or Buy An Integrated Security Stack

Cyber Hygiene: A Baseline Set of Practices

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

Certified Information Security Manager (CISM) Course Overview

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Sage Data Security Services Directory

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

How to Align with the NIST Cybersecurity Framework

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Top Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program

CyberSecurity: Top 20 Controls

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Cyber Risks in the Boardroom Conference

Cyber Security Technologies

Introducing Cyber Observer

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Moderator: Presenters: Ross Albert Damon D Levine

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

The NIST Cybersecurity Framework

To Audit Your IAM Program

Must Have Items for Your Cybersecurity or IT Budget in 2018

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

THE POWER OF TECH-SAVVY BOARDS:

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Using Metrics to Gain Management Support for Cyber Security Initiatives

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Gujarat Forensic Sciences University

Building Resilience in a Digital Enterprise

Bringing Cybersecurity to the Boardroom Bret Arsenault

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

The Business Value of including Cybersecurity and Vendor Risk in ERM

Changing the Game: An HPR Approach to Cyber CRM007

Developing a Model for Cyber Security Maturity Assessment

Cyber Security Program

NCSF Foundation Certification

Transcription:

SESSION ID: CXO-W02F CISO as Change Agent: Getting to Yes Frank Kim Chief Information Security Officer SANS Institute @fykim

Outline Catch the Culture Shape the Strategy Build the Business Case 2

#1 Catch the Culture

Organizational Culture Culture eats strategy for breakfast. - Peter Drucker 4

Ability to Change What makes companies great is inevitably what makes companies fail, whenever that day comes. - Ben Thompson 5

Security Culture Introduce change At the rate the organization can accept it Examples Phishing click through rates Security exception requests 6

Stakeholders and Culture High Power Keep Satisfied HR Legal Ops Team Monitor Manage Closely CIO CFO CISO End KeepUsers Informed Low Low Interest High From mindtools.com 7

#2 Shape the Strategy

Establish a Vision Stakeholders don t value expertise They value results By understanding what they value We can learn to innovate with the business If I asked people what they wanted they would have said faster horses. - Henry Ford 9

Identify a Security Framework Security frameworks provide a blueprint for Building security programs Managing risk Communicating about security Many frameworks share common security concepts Examples include ISO 27000 Series 27001 ISMS requirements 27002 Code of practice 27003 Implementation guidance 27004 Measurement 27005 Risk management COBIT ENISA Evaluation Framework NIST Cybersecurity Framework 10

NIST Cyber Security Framework Composed of three parts Core, Implementation Tiers, Profiles Defines a common language for managing security risk Core has five Functions that provide a highlevel, strategic view of the security life cycle Helps organizations ask: What are we doing today? How are we doing? Where do we want to go? Identify Protect Detect Respond Recover 11

Critical Security Controls (CSC) Maintained by the Center for Internet Security (CIS) Subset of the comprehensive catalog in NIST SP 800-53 Prioritizes a smaller number of actionable controls that mitigate the most pervasive attacks 12

Critical Security Controls (CSC) Matrix CSC 1 Inventory of Authorized and Unauthorized Devices CSC 2 Inventory of Authorized and Unauthorized Software CSC 3 Secure Configurations for Hardware and Software CSC 4 Continuous Vulnerability Assessment and Remediation CSC 5 Controlled Use of Administration Privileges CSC 6 Maintenance, Monitoring, and Analysis of Audit Logs CSC 7 Email and Web Browser Protections CSC 8 Malware Defenses CSC 9 Limit & Control of Network Ports, Protocols, Services CSC 10 Data Recovery Capability CSC 11 Secure Configurations for Network Devices CSC 12 Boundary Defense CSC 13 Data Protection CSC 14 Controlled Access Based on the Need to Know CSC 15 Wireless Access Control CSC 16 Account Monitoring and Control CSC 17 Security Skills Assessment CSC 18 Application Software Security CSC 19 Incident Response and Management CSC 20 Penetration Tests and Red Team Exercises

Maturity Comparison Example Identify Protect Detect Respond Current state Target state Recover 0 1 2 3 4 5 Lagging Industry Leadin g 14

Metrics Hierarchy Focus & actions increase as you move up the pyramid Volume of information increases as you move down the pyramid Strategic Operational Focus Strategic Objectives Focus Analysis & Trends Type KPIs Type Metrics Implementation Balanced Scorecard Implementation Security Dashboard Technical Focus Data Type Measures Implementation Charts & Graphs 15

Security Program Dashboard Example Financial/Stewardship Customer / Stakeholder Internal Business Process % Budget Allocated to Security % of Products Delivered On Time % of Developers Trained Target 5% Trend Target 95% Trend Target 95% Trend 5% 95% 97% YTD Security Budget Allocation Customer Satisfaction % of Developers with Certification Target 90% Trend Target 95% Trend 85% 42% 16

Security Status Example Security Capability Status Trend Highlights Identify: Manage risk to systems, assets, data, and capabilities Yellow 32% increase in unauthorized devices 29% IT 3 % HR 27% increase in unauthorized software Attributed to Q4 BYOD pilot Protect: Ensure delivery of critical infrastructure services Green Detect: Identify occurrence of a cybersecurity event Green Respond: Take action regarding a detected cybersecurity event Recover: Maintain plans for resilience and to restore any capabilities or services that were impaired due to cybersecurity event Green Red 12% of users failed sponsored email phishing tests 15% of employees have not passed security awareness assessments 27% decrease in elevated access accounts 275 total elevated access accounts 5% of database systems with sensitive information have not been scanned by vulnerability scanners 34% of systems not enabled with up to date antimalware Attributed to Q4 BYOD pilot 17

#3 Build the Business Case

Risk Landscape Increasing complexity of threats results in additional exposure due to security risks Year of the breach Edward Snowden Nation States Stuxnet Advanced Persistent Threats Increasing risk due to evolving threat landscape and business requirements Risk Exposure Partners Organized Crime Activists Big Data Cloud Computing First Mobile App Mobile Payments Internet of Things Basic Threats Insider Threats Wireless Network Introduction of Mobile Devices First web site Global network Increasing complexity of technology environment results in operational risks 1995 2000 2005 2010 2015 19

Bad Business Justification (DMARC) DMARC is an email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain's administrators and that the email (including attachments) has not been modified during transport. It expands on two existing mechanisms, the well-known Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), coordinating their results on the alignment of the domain in the From: header field, which is often visible to end users. It allows specification of policies (the procedures for handling incoming mail based on the combined results) and provides for reporting of actions performed under those policies. 20 Source: https://en.wikipedia.org/wiki/dmarc

Better Business Justification (DMARC) The solution prevents scammers from sending fraudulent email to our customers. These fraudulent emails result in stolen usernames, passwords, and fraudulent transactions. The solution reduces the number of stolen accounts by 20%, account fraud by 10%, and the total amount of fraudulent transactions by $1 million per year. 21

Mapping to Strategic Objectives Financial/Stewards hip Lower costs Increased profitability Increased revenue Customer/Stakehol der Improved compliance & regulatory Lower wait times Improved satisfaction Internal Business Process Improved availability & resiliency Increase process efficiency Lower cycle times Business innovation/new product support Organizational Capacity or Security Capability Improved knowledge & skills Improved tools & technology 22

Build Your Business Case As a manager and leader you are expected to Understand the vision and mission of the company Make security understandable to business leaders Don t just ask for the money Sell the vision and how you will solve business problems Let the case speak for itself Allow decision makers to come to their own conclusion Outline three options with various pros and cons Let them pick one 23

Provide Options Highlight trade-offs with business value, risk reduction, cost Option A Option B Option C Business value Risk reduction Cost $ $$ $$$ 24

Summary

Leading Change It s not the strongest that survive or the most intelligent that survive. It s the ones that are most adaptable to change. - Charles Darwin 26

Key Takeaways Catch the Culture Understand culture and stakeholder motivations Introduce change one step at a time Shape the Strategy Utilize an industry recognized framework Provide metrics that matter Build the Business Case Don't just ask for the money Sell a vision on how you will solve business problems 27

Frank Kim fkim@sans.org @fykim

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback