ten tenets of ciso success - rsaconference.com · 2005. 2010. 2015. mobile devices. global network....

SESSION ID:

#RSAC

Frank Kim

Ten Tenets of CISO Success

STR-W04

[email protected]

#RSAC

#1 Catch the Culture

# R S AC

Organizational Culture

3

Culture eats strategy for breakfast.- Peter Drucker

#RSAC

#2 Relate to Risk

# R S AC

Business Risk

5

First Website

1995 2000 2005 2010 2015

Mobile DevicesGlobal Network

Wireless NetworkMobile Payments

Cloud ComputingBig Data

First Mobile App

Internet of Things

Basic ThreatsInsider Threats

Partners

Organized Crime

Activists

Edward Snowden

Advanced Persistent ThreatsStuxnetNation States

Year of the Breach

Technology

Threats

Sop

hist

icat

ion

$1 TrillionCost of Cyber

crime

- World Economic Forum

Graphic credit: Omar Khawaja

#RSAC

#3 Create Credibility

# R S AC

Creating Credibility

7

A big part of being believable and building our trust is showing us how we compare to competitors, other industries, some kind of

standards or benchmarks.- Board Member

#RSAC

#4 Shape the Strategy

# R S AC

Identifying a Security Framework

9

Security frameworks provide a blueprint forBuilding security programsManaging riskCommunicating about security

Many frameworks share common security conceptsCommon program frameworks include:

ISO 27000 Series 27001 ISMS requirements 27002 Code of practice 27003 Implementation guidance 27004 Measurement

COBIT ENISA Evaluation Framework FFIEC Cybersecurity Assessment Tool NIST Cybersecurity Framework

# R S AC

NIST Cybersecurity Framework

10

Composed of three partsCore, Implementation Tiers, Profiles

Defines a common language for managing security risk

Core has five Functions that provide a high-level, strategic view of the security life cycle

Helps organizations ask:What are we doing today?How are we doing?Where do we want to go?When do we want to get there?

Identify

Protect

Detect

Respond

Recover

# R S AC

Maturity Comparison Example

11

0 1 2 3 4 5

Recover

Respond

Detect

Protect

Identify

Current stateTarget state

Lagging Industry Leading

#RSAC

#5 Deliver the Deal

# R S AC

Mapping to Strategic ObjectivesFinancial/Stewardship

Customer/Stakeholder

InternalBusinessProcess

Organizational Capacity orSecurity Capability

Increased profitability

Increased revenue

Lower waittimes

Increase processefficiency

Lower cycletimes

Improved knowledge& skills

Improved tools & technology

Business innovation/new product support

Improved compliance &

regulatoryImproved

satisfaction

Improved availability & resiliency

Lower costs

# R S AC

Provide Options

14

Highlight trade-offs with business value, risk reduction, cost

Option A

$

Business value

Risk reduction

Cost

Option B

$$

Option C

$$$

#RSAC

#6 Invest in Individuals

# R S AC

Putting Leadership Into PerspectiveBoss Manager Leader

Drives people Manages things Coach, mentor, and grow people

Thinks short-term Thinks mid-term Thinks long-term

Focused on self Focused on process Focused on people

Instills fear Earns respect Generates enthusiasm

Says I Says Our Says We

Micromanages Delegates Motivates

Places blame on roadblocks Navigates roadblocks Removes roadblocks

Dictates how its done Shows how its done Influences how its done

Takes credit Shares credit Gives credit

Commands Asks Influences

Says Go Says Lets go Says Way to go

# R S AC

Career Management P.I.E.

17

Everyone should have a piece of the P.I.E.Performance

Perform exceptionally well

ImageCultivate the proper image

ExposureManage their exposure so the right people will know them

#RSAC

#7 Make Metrics Matter

# R S AC

Metrics Hiearchary

Strategic

Operational

Technical

Focus & actions increase as you move up the pyramid

Volume of information increases as you move down the pyramid

FocusData

ImplementationCharts

& Graphs

TypeMeasures

FocusAnalysis

& Trends

ImplementationSecurity

Dashboard

TypeMetrics

FocusStrategic

Objectives

ImplementationBalanced

Scorecard

TypeKPIs

# R S AC

Balanced Scorecard Example

20

Financial/Stewardship Customer / Stakeholder Internal Business ProcessQ4 % Product Development Budget Allocated to

SecurityQ4 % of Products Delivered On Time and On

BudgetQ4 % of Developers Training in Secure Coding

Principles

Target 5% Trend

Increased support for legal as they piloted their case management system

Target 95% Trend

18% increase over Q3 in on-time and on budget delivery. Security staffed temporary PMO team to meet goal

Target 95% Trend

100% of flagship application developers completed training reducing overall risk to organization

Q4 & YTD Security Budget Allocation Customer Satisfaction Q4 % of Developers Attaining Certification

Target 90% Trend

8% increase over Q3 in customer satisfactionrating of 4 or higher out of 5 possible

Target 95% Trend

Mitigation plan: Follow-up with developers after training is complete for certification

5% 95% 97%

85% 42%

DIFF_Met_Meas_KPI

#, % of unauthorized devices2,57428%

#, % of authorized devices6,72472%

Total9,298.00100%

JanFebMar

#, % of unauthorized devices1,4323,4272,574

#, % of authorized devices6,6596,6596,724

Total8,09110,0869,298

MonTueWedThurFriSatSun

Avg. time to remediate (hours)4.72.485.23.71011

Upper Control Limit (hours)6666666

Lower Control Limit (hours)1111111

1,440 Minutes (1 Day) 1,440 Minutes (1 Day) 10,080 Minutes (1 Week)

#, % of unauthorized devices#, % of authorized devices25746724

#, % of authorized devicesJanFebMar665966596724#, % of unauthorized devicesJanFebMar143234272574TotalJanFebMar8091100869298Avg. time to remediate (hours)MonTueWedThurFriSatSun4.72.485.23.71011Upper Control Limit (hours)MonTueWedThurFriSatSun6666666Lower Control Limit (hours)MonTueWedThurFriSatSun1111111





Dashboard Examples

Q1Q2Q3Q4

% Budget2%3%5%5%4%

Target5%5%5%5%

Previous year2%3%3%3%

$ 21,900.00$ 22,119.00$ 22,340.1927%21%34%

Q1Q2Q3Q459%58%51%

Budget$2,190,000$2,211,900$2,234,019$2,256,359$8,892,27814%21%14%

Actuals$2,491,000$2,232,000$2,042,000$2,123,000$8,888,000100%100%100%

Products$575,000$597,000$425,000$732,000$2,329,000

Services$1,590,000$1,320,000$1,190,000$1,090,000$5,190,000

Training$326,000$315,000$427,000$301,000$1,369,000

% of products delivered on time and on budget

Q1Q2Q3Q4

Actual43%75%80%98%74%

Lower 55%55%55%55%55%

Upper 95%95%95%95%95%$ 8,888,000.00

$ 2,123,000.00

$ 2,256,359.00

Customer Satisfaction

Q1Q2Q3Q4Q1Q2Q3Q4YTDYTD

Actual30%37%77%85%Products$575,000$597,000$425,000$732,000$2,329,000

Lower 65%65%65%65%65%Services$1,590,000$1,320,000$1,190,000$1,090,000$5,190,000

Upper 90%90%90%90%90%Training$326,000$315,000$427,000$301,000$1,369,000

Actuals$2,491,000$2,232,000$2,042,000$2,123,000$8,888,000

Budget$2,190,000$2,211,900$2,234,019$2,256,359$8,892,278

$ Variance-$301,000-$20,100$192,019$133,359$4,278

Q1Q2Q3Q4

% Devolopers trained12%30%75%97%

% Developers Not trained88%70%25%3%BudgetQ4 ActualsYTD ActualsVariance

Lower 75%75%75%75%75%Products$2,328,600$732,000$2,329,000-$400

Upper 95%95%95%95%95%Services$5,192,000$1,090,000$5,190,000$2,000

Training$1,371,678$301,000$1,369,000$2,678

Rollup$8,892,278$2,123,000$8,888,000$4,278

Q1Q2Q3Q4$4,446.14

% Devolopers certified3%15%37%42%

% Developers Not certified97%85%63%58%0.00004

Lower 75%75%75%75%75%

Upper 95%95%95%95%95%

Note: Used the same data for slide 9 example of Metrics, measure and KPI

% of authorized vs. Unauthorized devices on the nework, Average time to remove

Q1Q2Q3Q4

# Unauthorized Devices7,4337,3277,3349,792

# Authorized Devices20,04220,05720,06220,067

Total27,47527,38427,39629,859

MonTueWedThurFriSatSunSBH

Avg. time to remediate (hours)4.72.485.23.710116.43



Q1Q2Q3Q4

Avg. time to remediate (hours)6.435.25.19.7



Application Vulnerability Scanning Coverage

Q1Q2Q3Q4

Scanned2,137227622822292

Not Scanned275142152157

Total2,4122,4182,4342,449

# Known VulnerabilitiesCurrent Scan

Critical/High42

Med572

Low1,127

1,741

Open Vulnerability Findings by Age

< 30 days1,106

31 - 60 days427

Over 61 Days208

1,741

Top Vulns Greater than 60 days

Cross Site Scripting84

URL Redirect76

Misconfiguration43

Other5208

208

Server Vulnerabilities Detected

HighMediumLow

No Known Exploit765,00097,00027,000

Possible Exploit175,00085,00012,000

940,000182,00039,0001,161,000

Possible Exploit By Region

HighMediumLow

London24,68035,4291,86261,971

Tokyo25,32014,2766,70546,301

New York125,00035,2953,433163,728

175,00085,00012,000272,000

000-272,000

Mitigated HighNon Mitigated High

# R S AC

Security Capability Example

21

Security Capability Status Trend Highlights

Identify: Manage risk to systems, assets, data, and capabilities Yellow

32% increase in unauthorized devices 29% IT 3 % HR

27% increase in unauthorized software Attributed to Q4 BYOD pilot

Protect: Ensure delivery of critical infrastructure services Green

12% of users failed sponsored email phishing tests 15% of employees have not passed security awareness

assessments

Detect: Identify occurrence of a cybersecurity event Green 27% decrease in elevated access accounts 275 total elevated access accounts

Respond: Take action regarding a detected cybersecurity event Green

5% of database systems with sensitive information have not been scanned by vulnerability scanners

Recover: Maintain plans for resilience and to restore any capabilities or services that were impaired due to cybersecurity event

Red 34% of systems not enabled with up to date anti-

malware Attributed to Q4 BYOD pilot

#RSAC

#8 Master Your Message

# R S AC

Effective Communications

23

Security people dont speak our language. In fact, at each briefing they seem to speak

a different language.- Board Member

# R S AC

24

#RSAC

#9 Champion Change

# R S AC

Breaking Down the Walls

26

AgileBreak down walls between development and the business

DevOpsBreak down walls between development and operations

SecDevOpsBreak down walls between security and development, operations, business

# R S AC

Improve Effectiveness

27

#RSAC

#10 Solve Business Problems

# R S AC

Evolution of Security Leadership

IT SecurityIT Security

Old School

New School

Risk Management

Regulatory, Compliance,Legal, Privacy

Business Savvy

Graphic credit: https://www.rsaconference.com/writable/presentations/file_upload/prof-m07-from-cave-man_to-business-man-the-evolution-of-the-ciso-to-ciro.pdf

Technology Focus

Business Focus

# R S AC

# R S AC

Ten Tenets of CISO Success

31

Create Credibility

Catch the Culture

Relate to Risk

Shape the Strategy

Deliver the Deal

#1

#2

#3

#4

#5

Invest in Individuals

Make Metrics Matter

Master Your Message

Champion Change

Solve Business Problems

#6

#7

#8

#9

#10

#RSAC

Frank [email protected]

Material based on SANS MGT514Security Strategic Planning, Policy, and Leadership

Ten Tenets of CISO SuccessSlide Number 2Organizational CultureSlide Number 4Business RiskSlide Number 6Creating CredibilitySlide Number 8Identifying a Security FrameworkNIST Cybersecurity FrameworkMaturity Comparison ExampleSlide Number 12Mapping to Strategic ObjectivesProvide OptionsSlide Number 15Putting Leadership Into PerspectiveCareer Management P.I.E.Slide Number 18Metrics HiearcharyBalanced Scorecard ExampleSecurity Capability ExampleSlide Number 22Effective CommunicationsSlide Number 24Slide Number 25Breaking Down the WallsImprove EffectivenessSlide Number 28Evolution of Security LeadershipSlide Number 30Ten Tenets of CISO SuccessFrank [email protected]

ten tenets of ciso success - rsaconference.com · 2005. 2010. 2015. mobile devices. global network....

Documents