New InfoSec Leader The First 90 Days John Bruce CEO
Agenda Introduction Co3 Systems Role of the CISO Three critical changes Suggestions Page 2 of 39
The next challenge in security PRODUCTS PREVENTION DETECTION RESPONSE SERVICES Page 3 of 39
SSAE 16 TYPE II CERTIFIED Connecting people, process and technology for times of crisis AUTOMATED ESCALATION EMAIL WEB FORM TROUBLE TICKETING ENTRY WIZARD SIEM I N C I D E N T R E S P O N S E P L A N INSTANT CREATION & STREAMLINED COLLABORATION HR IT PLAN SYNTHESIS INDUSTRY CONTRACTUAL STANDARD REQUIREMENTS FRAMEWORKS COMMUNITY BEST PRACTICES ORGANIZATIONAL GLOBAL PRIVACY SOPS BREACH REGULATIONS INTEGRATED INTELLIGENCE ARTIFACT CORRELATION DASHBOARDS & REPORTING LEGAL/ COMPLIANCE MARKETING ACCELERATED MITIGATION TROUBLE TICKETING GRC SIEM Page 4 of 39
Co3 makes the process of planning for a nightmare scenario as painless as possible, making it an Editors Choice. PC Magazine, Editor s Choice One of the most important startups in security Business Insider One of the hottest products at RSA Network World...an invaluable weapon when responding to security incidents. Government Computer News Co3 has done better than a home-run... it has knocked one out of the park. SC Magazine Platform is comprehensive, user friendly, and very well designed. Ponemon Institute Co3 defines what software packages for privacy look like. Gartner Most Innovative Company 2014 Top 10 RSA Conference Page 5 of 39
Today s goal Prescription prior to diagnosis is malpractice. Page 6 of 39
What we will cover today Defining Chief Information Security Officer Your New Context: Getting a handle on what s around you, including three major changes you ll see as a new CISO Recommendations: Getting started quickly in your new role Page 7 of 39
DEFINING CISO
CISOs can come in multiple flavors Traditional Most senior manager specifically dedicated to InfoSec Is no more than two steps away from the CEO Has a staff of SMEs covering each of the areas of responsibility Has dedicated administrative support Other Scope may be limited to a division, business unit or geography May be a collateral duty May be buried deeper in the hierarchy Page 9 of 39
What s a Chief Information Security Officer? A Chief Information Security Officer (CISO) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing and maintaining processes across the organization to reduce information and information technology (IT) risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance. Scope of Authority Scope of Responsibilities (wikipedia.org) Page 10 of 39
CISO, how are you enjoying the job? 33% good job but not the best 32% bad job but not the worst 24% worst job I ever had 11% best job I ever had Page 11 of 39
Average tenure of a CISO 2010, Per Gartner 4.1 years 2013, Per Ponemon 2.1 years 2014 per Veracode 18 months Chief Information Scapegoat Officer Career Is Shortly Over Page 12 of 39
So, why are you getting the job? 52% ex-post response to a security incident or breach. 21% ex-post response to compliance and regulatory snafus Balance is the natural movement of people, places and prospects Page 13 of 39
Ranking of critical success factors Adequate funding Preparedness Support structures Leadership Organizational structure Domain expertise or knowledge Agility Page 14 of 39
3 IMPORTANT CHANGES
Three important changes (?) Executive Sponsorship Expanded Scope Broader Relationships Page 16 of 39
Expanded scope Executive Sponsorship Expanded Scope Broader Relationships Page 17 of 39
YOUR path to CISO? Engineering Legal CISO Compliance Other? Page 18 of 39
I m FAMILIAR with it, so it must be the RIGHT solution Page 19 of 39
Embracing the familiar may/may not be good Replicating your familiar technology kit? Conducting an audit? Reviewing regulatory requirements? Writing new policies? Conducting tests (DR, penetration, etc.)? Rational alternative: examine the unfamiliar aspects of your new role, which may reveal shortfalls in your own abilities, your team s abilities, your management s abilities. Page 20 of 39
Internal expansion of responsibilities Disaster Recovery/Business Continuity Awareness and Training Audit and Certification (performing and responding) Engineering/Development Policy Physical Security Sales and Marketing CISO AA?? Page 21 of 39
Broader relationships Executive Sponsorship Expanded Scope Broader Relationships Page 22 of 39
What s a Relationship? Known personality, agenda Tailored communication, requests You Maximum probability of success Your Counterpart Page 23 of 39
Cultivating new relationships Auditors and auditor-like* entities Upper management and the BoD The staff and management of the security department(s) reporting to the CISO Other stakeholders in the business (managers of other groups that provide or receive services from the security group) including Sales and Marketing Vendors Colleagues and Counterparts (in other companies) Law Enforcement * Internal and external auditors, inspectors, examiners, certification authorities, etc. Page 24 of 39
Executive sponsorship Executive Sponsorship Expanded Scope Broader Relationships Page 25 of 39
Assessing executive Involvement vs. Commitment Two Key Indicators: Deployment and use of appropriate technologies (which is a reflection of substantial and judicious investment) Employee behaviors (which are a reflection of executive willingness to enforce good policies) Involved Committed Page 26 of 39
Walk vs. Talk (Magic Quadrant) Underachiever Leaders Walk Incompetent Blowhards Different strategies required for CISO! Talk Page 27 of 39
Two options Option 1 Option 2 Page 28 of 39
Consciousness & Competence model Conscious Incompetent Conscious Competent Most important step. Your job #1??? Consciousness Unconscious Incompetent Unconscious Competent Everyone starts here. Competence Page 29 of 39
Can you communicate with executive management? 'Twas brillig, and the slithy toves Did gyre and gimble in the wabe. Huh? Say Wut? WTF dude Well, thanks for your time. We ll be in touch. Page 30 of 39
A RUNNING START
360 view of your new role Executives, Board External Entities Your management Relationships Technology Vision, skill CISO Relationships Yourself Stakeholders Leadership Context, strategy Your Team Business Page 32 of 39
First 90 days: Executive sponsorship Do a quick determination of commitment: are your executives chickens or pigs? Investment in technologies Willingness to hold people accountable Your direction will be guided by the answer Education Execution Page 33 of 39
First 90 Days: internal concerns Develop at least a basic understanding of best practice in each of your institutional areas of responsibility, sufficient to be Your able to expertise communicate effectively with your specialists. Determine the expertise and reliability of subordinate Staff assessment leaders in each of these areas. Assess the current state of each of these areas of specialization, and evaluate whether or not the current capabilities and capacity Gap analysis is sufficient for the business context. Especially first-time managers: your value is in your ability to serve and Leadership empower your staff, not in directing them. Page 34 of 39
First 90 Days: external relationships Identify your auditors* right away; schedule meetings as soon as possible Identify problem children : those that have a bad history with InfoSec (which may be justified) Beware the most toxic executives: intimidators Strike a balance between humility and fortitude Precedents are easier to set at the beginning Consider vendors as friends not foes *and auditor-like entities Page 35 of 39
First 90 Days: Immediate Priorities (Candidates) Re-balancing prevention, detection, response? Inability to respond may be highest risk for new CISO How s your DevOps: Do you have the maturity in your development and operations processes to support security initiatives? Excessive privilege/cm: Who can change the production environment? With what approval? How s your situational awareness: Are your detection/monitoring processes sufficient to deliver actionable intelligence? What about your IT architecture: Proper segregation? Sufficient test environments? Page 36 of 39
Wrapping it up Leadership & Vision Strategic Focus Catalyst for Risk Mgt Effective Relationships Technical Savvy Page 37 of 39
Page 38 of 39
John Bruce CEO jbruce@co3sys.com One Alewife Center, Suite 450 Cambridge, MA 02140 PHONE 617.206.3900 WWW.CO3SYS.COM