What It Takes to be a CISO in 2017

Similar documents
Cybersecurity The Evolving Landscape

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

How To Build or Buy An Integrated Security Stack

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Cyber Risks in the Boardroom Conference

Best Practices in Securing a Multicloud World

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

INTELLIGENCE DRIVEN GRC FOR SECURITY

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Changing the Game: An HPR Approach to Cyber CRM007

Cybersecurity Session IIA Conference 2018

ISE North America Leadership Summit and Awards

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Changing face of endpoint security

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

CCISO Blueprint v1. EC-Council

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Designing and Building a Cybersecurity Program

Cybersecurity Today Avoid Becoming a News Headline

Cybersecurity Overview

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Take Risks in Life, Not with Your Security

Nine Steps to Smart Security for Small Businesses

locuz.com SOC Services

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Canada Life Cyber Security Statement 2018

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Cybersecurity in Higher Ed

2017 Annual Meeting of Members and Board of Directors Meeting

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Why you should adopt the NIST Cybersecurity Framework

How Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

SOLUTION BRIEF Virtual CISO

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Information Security Controls Policy

Security and Privacy Governance Program Guidelines

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Sage Data Security Services Directory

IT Security Mandatory Solutions. Andris Soroka 2nd of July, RIGA

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Defense in Depth Security in the Enterprise

Cyber Criminal Methods & Prevention Techniques. By

Secure HIPAA Compliant Cloud Computing

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Position Title: IT Security Specialist

Sirius Security Overview

PTLGateway Data Breach Policy

THE POWER OF TECH-SAVVY BOARDS:

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

CYBER RESILIENCE & INCIDENT RESPONSE

Jeff Wilbur VP Marketing Iconix

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE

Welcome to the CyberSecure My Business Webinar Series We will begin promptly at 2pm EDT All speakers will be muted until that time

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

CISO as Change Agent: Getting to Yes

Cybersecurity for the SMB. CrowdStrike s Murphy on Steps to Improve Defenses on a Smaller Scale

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 04/12/2017

CA Security Management

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Sensitive Data Loss is NOT Inevitable

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

SOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE

NERC Staff Organization Chart Budget 2019

10 FOCUS AREAS FOR BREACH PREVENTION

A company built on security

Agenda. Security essentials. Year in review. College/university challenges. Recommendations. Agenda RSM US LLP. All Rights Reserved.

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

The Deloitte-NASCIO Cybersecurity Study Insights from

Avanade s Approach to Client Data Protection

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

CRIMINAL NETWORK INTRUSION AND DATA THEFT: Today s Security Landscape and What to Do If You ve Been Compromised

Internet of Things Toolkit for Small and Medium Businesses

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

A Comedy of Errors: Assessing and Managing the Human Element of Cyber Risk

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

CipherCloud CASB+ Connector for ServiceNow

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Cybersecurity Auditing in an Unsecure World

NOTICE TO ALL PROSPECTIVE RESPONDENTS RFP 18-ITSS/CY. Addendum No. 1 issued September 7, RFI responses are in red bold print

Secure Product Design Lifecycle for Connected Vehicles

Cyber Security Stress Test SUMMARY REPORT

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

Cybersecurity and the Board of Directors

Staffing Services UnderDefense your source of experienced professionals to solve security staffing challenges today

Transcription:

What It Takes to be a CISO in 2017 Doug Copley Deputy CISO Sr. Security & Privacy Strategist February 2017

IMAGINE You re the CISO In Bangladesh Of a bank On a Friday when you re closed You realize 6 huge transfers are underway It takes 4 DAYS to halt the transfers By then, $81M dollars are gone How can you begin to explain why how 2

AGENDA 1. Expectations of a CISO 2. Mindset and Focus 3. Insights 4. Network 5. CISO Roadmap 6. Takeaways

[ ] 4

Identity & Access Management Application Assessment Strong Authentication Digital Investigation & Forensics Security Incident Management Vulnerability Management Asset Management Risk Management Compliance monitoring CISO THE IMPOSSIBLE JOB? OR JUST THANKLESS Policy definition Enforcement Monitoring & response Audit/Measurement Network Databases Systems Endpoints Application Infrastructure Messaging & Content Data NAC Switch/Router Security Firewall Database encryption Storage security Web security gateway Enterprise encryption & key management IDS/IPS Forensics VPN Wireless monitoring Database security and monitoring Basic Auditing Firewall/Host IPS Patch management Antivirus/Antispyware Hard drive encryption Device control Mobile device security Firewall/Host IPS Enterprise Web XML gateway Application firewall directory SSO App encryption Email content Web security filtering Antivirus Anti-spam Digital rights management Data Leak Prevention

CISO RESPONSIBILITIES IN 2007 Install & manage firewalls Install & manage internet proxy server Install & manage endpoint anti-virus Install & manage intrusion detection (if you were advanced) Required strong technical knowledge Primary Focus: Technical Control Implementation

CISO RESPONSIBILITIES IN 2017 Managing information risk Executive business partner (enable) Successfully navigating the landscape (business, regulatory, threat) Risk-based strategy & vision Leadership (security, team, change) Primary Focus: Enable the business while managing risk & compliance

[ ] 8

REQUIRES ABILITY TO WORK IN UNCERTAINTY Day 1 What Some Days Felt Like You are here Arranging deck chairs http://www.workinginuncertainty.co.uk/

What s on the mind of a CISO? 1. Constantly evolving and sophisticated cyber threats 2. Struggle with visibility across locations, systems and networks 3. Fear of not being able to detect that we ve been compromised 4. Breach headlines = unemployment (scapegoat) Financial advisor fired for stealing information on 350,000 wealth management clients 10

What s on the mind of a CISO? 5. Do I understand business priorities and direction? 6. Security of cloud platforms and applications 7. Not being fully prepared to respond to an incident 8. Insider threats (intentional, accidental, inadvertent) 9. Finding and retaining skilled cybersecurity talent Copyright 2017 2016 Forcepoint. All rights reserved. 11

[ ] 12

UNDERSTANDING THE THREATS 1. Is it the people? Employees or 3 rd party? Consultants or contractors? 2. Is it technical vulnerabilities? Have they always existed? 3. Is it poor technology? Is it still supported? Does it NOT meet the needs? 4. Is it culture? Do staff identify control gaps? Are they punished for it? 5. Is it executive mgmt? When were they updated last?

MANAGING CYBER RISK Key is appropriately managing the risks Policies & procedures (administrative) Technology tools (technical) Control physical access (physical) Risk/Cost decision: Do we need to: Prevent it from happening? Detect & respond when it happens? Would it automatically get corrected? Do we get cyber insurance?

WHEN THINGS GO AWRY

[ ] 16

NATURAL PARTNERS IN MANAGING RISK Corporate Compliance» Applicable regulations» Risk of Non-Compliance Enterprise Risk Management» Manages all risk across the company» Will measure information risk the same as others Internal Audit» Can help raise risk awareness to Board» Can report on control effectiveness

NATURAL PARTNERS IN MANAGING RISK Legal Affairs advice Retention, litigation, legal precedents Human Resources Job Descriptions Training Information Technology Will implement technical controls Finance Will help quantify risk into currency

USERS: ASSET OR LIABILITY? Liability Aren t aware of policies Careless; make mistakes Contract malware Steal company secrets Sabotage systems Falsify data Steal identities Asset Help educate others Police their departments Report risky behavior Help improve policies Help remediate events Pilot new controls Suggest new processes

VENDORS: ASSET OR LIABILITY? Liability Lack controls Lack oversight Don t communicate well Bad agreements Aren t compliant Breach your data Asset Help educate CISO, team Help deploy controls faster Help monitor, remediate events Help assess risk/compliance Provide expertise Can suggest process improvements or deployment alternatives

LEVERAGE KEY PARTNERSHIPS Build partnerships outside your organization In healthcare, key resources are: 1. Peer organizations non-profit and for-profit 2. State - Dept. of Community Health 3. State - Health Information Exchanges 4. State - Health & Hospital Association 5. HiTrust & NH-ISAC 6. Federal Health & Human Services 7. Federal FBI & InfraGard 8. Federal Homeland Security

[ ] 22

BUILDING SECURITY WITHOUT BOUNDARIES Resources are ALWAYS constrained Reason for risk-based prioritization Outsource if necessary, but commodity functions Encourage/reward innovation (think like there is no box!) May increase productivity Can help improve morale Look for external funding Federal & State grants may be available May be able to participate in outside initiatives

PRACTICAL STEPS FOR A CISO 1. Decide on a framework (ISO, NIST, HiTrust, etc.) 2. Understand business priorities 3. Understand the technical environment and data flows 4. Identify & assess areas of risk 5. Prioritize based on risk and over-communicate 6. Talk with vendors and integrators 7. Educate, educate, educate (users, staff, yourself)

6-STEP SECURITY CYCLE Inventory Business Critical Data Have an Incident Response Plan Ready Perform a Risk Assessment Implement Policies, Processes, and Technologies Develop a Security Strategy Train Workforce (Source: Healthcare IT News)

[ ] 27

WHO IS THE CISO? 1. Security Leader? IT Leader? YES, Depends 2. Business-Savvy Executive? YES 3. Risk Leader? YES 4. Compliance Leader? Depends 5. Team Leader, Coach, Mentor? YES 6. Therapist? YES 7. McGyver? YES

Recommendations 1. Understand expectations of you 2. Understand business critical functions/data 3. Understand threat landscape 4. Follow a framework and prioritize by risk 5. Institute governance involving stakeholders 6. Build and leverage your team and NETWORK 7. Adapt as necessary Copyright 2016 Forcepoint. All rights reserved. 29

Thank You! Doug Copley dcopley@forcepoint.com http://blogs.forcepoint.com Twitter: @hcare_security www.linkedin.com/in/dcopley 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback