How to get the Enterprise to Understand the Value of Security

Similar documents
Run the business. Not the risks.

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

INTELLIGENCE DRIVEN GRC FOR SECURITY

Modern Database Architectures Demand Modern Data Security Measures

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Certified Information Security Manager (CISM) Course Overview

THE POWER OF TECH-SAVVY BOARDS:

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Security and Privacy Governance Program Guidelines

Achieving effective risk management and continuous compliance with Deloitte and SAP

Big data privacy in Australia

Turning Risk into Advantage

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

The new cybersecurity operating model

Why you should adopt the NIST Cybersecurity Framework

BHConsulting. Your trusted cybersecurity partner

Securing Your Digital Transformation

MITIGATE CYBER ATTACK RISK

Accelerate Your Enterprise Private Cloud Initiative

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Maximizing IT Security with Configuration Management WHITE PAPER

Agile Master Data Management TM : Data Governance in Action. A whitepaper by First San Francisco Partners

Information Security Risk Strategies. By

Global Security Consulting Services, compliancy and risk asessment services

Best Practices & Lesson Learned from 100+ ITGRC Implementations

2 The IBM Data Governance Unified Process

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Next Generation Policy & Compliance

Sage Data Security Services Directory

Introduction to Business Continuity Management

To Audit Your IAM Program

COBIT 5 With COSO 2013

Bringing Cybersecurity to the Boardroom Bret Arsenault

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Continuous protection to reduce risk and maintain production availability

Electric Sector Security & Privacy Plans for 2011

EUROPEAN ICT PROFESSIONAL ROLE PROFILES VERSION 2 CWA 16458:2018 LOGFILE

Cybersecurity Best Practices

Information Security and Service Management. Security and Risk Management ISSM and ITIL/ITSM Interrelationship

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

CERT Development EFFECTIVE RESPONSE

Optimisation drives digital transformation

Perfect Balance of Public and Private Cloud

Trillium Consulting. Data Governance. Optimizing Business Outcomes through Data and Information Assets

BHConsulting. Your trusted cybersecurity partner

SOLUTION BRIEF Virtual CISO

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

locuz.com SOC Services

CISM Certified Information Security Manager

ISACA Cincinnati Chapter March Meeting

San Francisco Chapter. Cassius Downs Network Edge LLC

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

FDIC InTREx What Documentation Are You Expected to Have?

Improving Data Governance in Your Organization. Faire Co Regional Manger, Information Management Software, ASEAN

ISE North America Leadership Summit and Awards

CISO MASTERCLASS FOR SENIOR EXECUTIVES 2 DAYS

Threat and Vulnerability Assessment Tool

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

Security Awareness Compliance Requirements. Updated: 11 October, 2017

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

Consolidation Committee Final Report

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Aligning IT, Security and Risk Management Programs. Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert

Survey Report Industry Survey. Data Governance, Technology & Analytics Trends Q1 2014

Building a BC/DR Control Library and Regulatory Response Program

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

CCISO Blueprint v1. EC-Council

Right-sizing Risk and Compliance for Small to Mid-size Companies. Susanne Elizer Practice Director Accretive Solutions Professional Strategies S32

Business Risk Management

SOC for cybersecurity

Balancing Between Risk and Compliance

Background FAST FACTS

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Better together. KPMG LLP s GRC Advisory Services for IBM OpenPages implementations. kpmg.com

Business Assurance for the 21st Century

Building YOUR Privacy Program: One Size Does Not Fit All. IBM Security Services

BRING EXPERT TRAINING TO YOUR WORKPLACE.

itsmf ITIL V3: Accelerate Success with Tools Maria A Medvedeva, PMP, ITIL Regional Director CA, Inc. itsmf Middle East Board of Directors

Cybersecurity. Securely enabling transformation and change

TEL2813/IS2820 Security Management

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

2017 Trends in Security Metrics and Security Assurance Measurement Report A Survey of IT Security Professionals

OVERVIEW BROCHURE GRC. When you have to be right

What is ISO/IEC 27001?

Symantec Data Center Transformation

Updates to the NIST Cybersecurity Framework

ISACA Arizona May 2016 Chapter Meeting

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Business Continuity Management Standards A Side-by-Side Comparison

Transcription:

PART 1 of 2 Insight into Security Leader Success How to get the Enterprise to Understand the Value of Security A SEC Research Finding

Intended Audience This presentation is intended for security leaders who want to create a business-based security department that provides value, and is valued by the enterprise. The following recommendations are based on 10+ years of SEC relevancy-based research. (c) 2015 The Security Executive Council 2

(c) 2015 The Security Executive Council 3

Expectations Are Changing Old Expectations New Expectations (c) 2015 The Security Executive Council 4

What does it take to meet the NEW expectations? (c) 2015 The Security Executive Council 5

1 Be Risk Based & Aligned with Organizational Goals (c) 2015 The Security Executive Council 6

Are your programs based on risks agreed upon across the enterprise? Are you using the same language the Board uses to express these risks? When and where does Security mitigate those risks? 7

Enterprise and Security Risk Alignment key points to know. Define the relationship between your company s strategic business objectives and the alignment of risk mitigation and security programs. (c) 2015 The Security Executive Council 8

Enterprise and Security Risk Alignment key points you need to know. Adjust security program creation to match vulnerabilities and threats (risks) identified with the future direction of the company. The greater the alignment between the goals of the business units and the security programs developed to support these goals, the greater the success of the company and the security leader. (c) 2015 The Security Executive Council 9

Enterprise and Security Risk Alignment key points you need to know. Delineate the structural issues surrounding the development of security programs, including program maturity, cost considerations, emerging risks and a growing body of regulatory and compliance issues. (c) 2015 The Security Executive Council 10

Have you conducted a security risk/threat/vulnerability assessment? If not WHY NOT??? Would you start fixing a car before knowing what s potentially wrong with it? If you have - do you regularly re-assess? (c) 2015 The Security Executive Council 11

2 Influence Cross-Functional Teams (c) 2015 The Security Executive Council 12

The management and communication of risk should be unified across the entire enterprise. 13

Most organizations address risk through separate and uncoordinated functional areas. We think Security can help bridge these silos of risk. (c) 2015 The Security Executive Council 14

Proven Practices: Risks, threats, vulnerabilities and incidents need to be communicated at their proper level and to the appropriate people The enterprise benefits from a centralized reporting of risks Create a cross-functional risk oversight team, that includes security, to address enterprise risks (c) 2015 The Security Executive Council 15

3 Security is Aligned with Organizational Readiness (c) 2015 The Security Executive Council 16

Organizational Readiness and OPaL+ First, What is OPaL+? Security is Specific/ Contained Activities The SEC conducted extensive research that focused on when and how Security programs and people become valued by the enterprise. No Security Department Needed Security is a Valuable Control Method This research found critical elements that when aligned properly result in a Security department that is a fit for and greatly valued by the enterprise. Security is a Revenue Enhancement Security is a Business Partner/ Enabler These elements are: Organizational readiness Program Maturity Leadership Continuum + Organizational elements of Corporate Culture and Risk Appetite (c) 2015 The Security Executive Council 17

Organizational readiness refers to whether the organization is ready for Security s blueprint. Sr. Management thinks Security should be this? Security is Specific/ Contained Activities No Security Department Needed Security is a Valuable Control Method Security is a Revenue Enhancement Security is a Business Partner/ Enabler But you think Security should be this? (c) 2015 The Security Executive Council 18

Understanding Organizational Readiness ensures that the organization and Security agree as to what Security should be and what it should accomplish. If there is a lack of agreement then expectations will be misaligned. (c) 2015 The Security Executive Council 19

You can enhance your cohesion with organization expectations by: Aligning with your organization s corporate culture No Security Department Needed Security is Specific/ Contained Activities Security is a Valuable Control Method Being the right type of leader for the organization at the right time Security is a Revenue Enhancement Security is a Business Partner/ Enabler Coming to an agreement with the organization on the current maturity level of security programs and creating a plan from there to the next level (c) 2015 The Security Executive Council 20

4 Create the Security Regulatory/Standards Baseline (c) 2015 The Security Executive Council 21

Just a sample of regulations and standards around or with security aspects. AEO C-TPAT FISMA GLBA SOX PCI NERC-CIP HIPAA NFPA 1600 ISO 27001 CFATS FSMA Food Safety Modernization Act MARSEC European Union Data Protection Directive NIST ISO 22399 (c) 2015 The Security Executive Council 22

Using the Security Regulatory/Standards Baseline Integrate global compliance standards and system specifications Expedite and optimize fixed cost (security personnel and systems) investment and variable cost outcomes (injury, asset damage or loss) Provide for common denominator audit guidance for security requirements including self-assessments (c) 2015 The Security Executive Council 23

5 Operate Security like a Business (c) 2015 The Security Executive Council 24

When running Security like a business, you should be able to easily answer the following questions: Who are your internal customers? What motivates them? What services do they use? What do they value? How confident are they in your services? What product do you sell? Have you identified all of your security services? What risks do they specifically reduce? How do you measure their business value? What is your capacity? How much time do staff devote to each kind of activity? What is the cost per service? What is your marketing strategy for the security department? What is your brand image to the company? (c) 2015 The Security Executive Council 25

This concludes part 1 of Insight into Security Leader Success. This presentation (parts 1 and 2) incorporates aspects of the following SEC developed research and content from the SEC Corporate Security Knowledge Base: Board-Level Risk Model Enterprise/Security Risk Alignment Model Unified Risk Oversight Model 9 Practice of the Successful Security Leader Research OPaL+ Assessment Research Security Measures and Metrics Program Internal Valuation Assessment Model Next Generation Security Leader Program Running Security as a Business Research Regulation and Compliance Management Database Executive Management Communication Best Practices SEC Technology Roadmap And the collective knowledge of SEC staff and subject matter experts (former security executives and security industry leaders) (c) 2015 The Security Executive Council 26

We can bring our research and extensive experience to work with you on: Aligning security risk mitigation strategies with enterprise risks Assessing risks, threats and vulnerabilities Creating your value driven metrics program Developing and telling Security s story Becoming a part of the business-wide risk team Aligning organizational readiness, program maturity and leadership strategy Contributing to enterprise driven risk compliance Running a business-based Security operation Transforming the Security organization through powerful executive communication Contact us. We re a security risk mitigation research and advisory firm. We re made up of former successful security executives. We enjoy exploring how to make Security a valued part of the business. contact@secleader.com +1 202.730.9971 https://www.securityexecutivecouncil.com (c) 2015 The Security Executive Council 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback