ciso case study 2011 v2

Case Study: Establishing the

“CISO/CSO” Role

Candy Alexander, CISSP CISM

SecureWorld Expo Boston

March 24, 2011

Room 103

SecureWorld Expo - Boston March 24, 2011 - Room 103

Topics

Presentation approach

Setting the scene

Secrets for success?

Sample Program Approach

Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103

Focus on “soft skills”

A huge challenge is we typically come

from; IT, Military/government, Law

enforcement

Secrets behind program methodologies

and technology

Presentation Approach


Setting the Scene

Company #1 Publicly held

“Civil Engineering” focused

2 levels below CIO

7500+ employees

Compliance Mission: SOx

Security Mission: Asset

protection (physical

security/equipment thefts)

Company #2 “Private” Federal government

contractor

2 levels below CEO

Small workforce – huge

“virtual store front”

Compliance Mission:

FISMA/State DP

Security Mission: Data

Protection (PII/PHI)


Secret #1

Organization Structure Segregation of Duties

CIO - Fox watching the chicken coop?

CFO/Audit

CFO/Spending - shoemaker‟s child?

Audit – Chicken coop watching the fox?

CTO - Good mix; understands the tech side, but…?

COO - Good understanding of how security impacts to the

business and vice versa

CEO – Get the attention, however not always in tune

Anywhere you

can get authority, credibility, and visibility!


Secret #2

Don’t say a word…

- Fight temptation to fix

- Need to understand:

Corporate culture (loose or hard-nosed)

Who are the pushers & shakers and what‟s

driving them

Where the challenges are and to be addressed

LATER (they *will* resurface!!)


Secret #3

Appearance is everything…

Offer solutions and not just problems

Cliché – business enabler vs. disabler

Understanding perceptions


Secret #4

Establish Partnerships

Not just with IT!

What is important to business

Overall drivers

Learn the business and business learn security

Security Council (Exec. Level)

Set strategic direction & buy-in

Players: all the “C”s (if possible), HR, Legal and

Audit


Secret #5

Don’t scare’m or baffle’m

Scaring or baffling „em will only result in glassy-eyed look

Indirectly tells them; you don‟t understand the business

Tell them in their own words

Impact on business

Cost of doing/not doing

Expectations

Executives want to know… Messages short and sweet

Get to the point

Be honest


Secret #6 –

Auditors really are your friends…

Play nice in the sandbox

Negativity is not to be taken personally

Partnership

Common goal (the company)

Audit = attention (especially CFO)

Careful!

Only to be used by a “experienced” professional

Disclaimer – can backfire

GOAL: No surprises on reports; only confirmations


Putting it all together…



1 - Understand “why” you are there

Need to meet expectations

Helps decide which framework to use (if not

already chosen)

2 - Framework

Understand which is best for need

If in place – determine level of compliance/risk


3 - Program management & basic practices

No matter how big or small the organization

Documentation is everything

Governance approach

Project charters, plans, schedules & meeting notes

Eliminates “misunderstandings” or

misinterpretations

Ensures all are moving toward the same goal



Using a Plan…

Based in 4 phases

Phase I: Gather Requirements

Phase II: Gap Analysis

Phase III: Development and Implementation

Phase IV: Ongoing Monitoring and Maintenance


Security Program -Phase I

Gather Requirements

Management‟s Objective

Technology review Pen Tests, risk assessments, compliance monitoring,

audit reports

Select framework based on regulatory requirements SOx – CobIT/COSO

Data Privacy – pick one (NIST, ISO, etc.)

HIPAA – pick one (NIST, ISO, etc.)

Credit Card - PCI/DSS -

FIMSA - NIST


Security Program -Phase II

Gap Analysis

Audit reports, pen tests and risk assessments

Security management

What‟s in place?

Security agreements (contracts, SLA, etc.)

Incident response/business continuity/disaster recovery

Policies & procedures

Workforce safeguards Sr. Mgmt AND employee

Technology Software

Hardware

Network


Security Program -Phase III Develop projects to fill in the gaps

Security management Policies & procedures drives the program!

Technology

Inventory - what do you have? Hardware

Software

Access Control (review, etc.)

DATA!

Implementation Projects Each project should have clear objective, tasks, owners and

expected time to complete documented

Metrics as it relates directly to the project

There should be no project plan w/o metrics


Security Program -Phase IV

Ongoing Monitoring & Reporting

Monitoring

Policies

Business controls

Audit remediation

Risk analysis


Reporting

Types of Reports

Executives -1 pager/charts/quick view)

Mid-management - 1 pager + some

Front Line” – very specific

Trends

Everyone likes to see accomplishments

Everyone needs to see challenges

Expected actions to be taken

Defined as part of the report requirement

i.e. no reports for the sake of doing reports

Define who & when

Security Program -Phase IV

Reporting


Questions?

Candy Alexander, CISSP CISM

[email protected]

Send email for copy of this presentation


mailto:[email protected]

ciso case study 2011 v2

Documents