CISO90DayPlan
NelsonChen,M.SC.ITCISSP,CISA,CISM
Agenda
• Whyarewehere?• Days0–30• Days31–60• Days61–90• Days90+• Infinity&Beyond
AvoidingReallyBadNews!
<Your Company Name Here>
Data Breach!
Don’tbetheBlocker!
MAYBE
Don’tbetheProphetofDoom
ToughestPartoftheJob
CISOPost-Breach
0-30
EstablishingRelationships&Trust
SellingCISOasaService
• Businessenablement• FUDisnottheonlypitch• Education• Sharedresponsibility• Getsupportandbuy-in• AddValue!
TakingInitialInventory• OrganizationalStructure-Who’swho– Execs,BULeaders,ITOps,InternalAudit
• ExistingPolicies,Processes,etc.• ExistingTechnologies• Where’stheData?• HistoricalSecurityIncidents• ShadowIT
LeadingTowardsBetterSecurity
ServantLeadership
SecuritySurroundsus,PenetratesusandBindsusTogether
31-60
Prioritizing&ProjectKickoff
BacktoBasics-CIATriad
Keepingitsecret
Keepingittogether
CentralOregonCommunityCollege
Keepingitup
Fox-inorFox-out?
TeamorCommittee?
SecurityTeamBuilding• BUInfoSecOfficers–Legal,Finance,Sales,Marketing,HR,Development,IT,etc
• Committeedriven• Executivesponsor• Internalauditisyourfriend• Wherearealltheresources?
KissPNG
SecurityCommitteeGoals
• BusinessSecurityMissionStatement• AligningsecuritywitheachBU
-whatareweprotecting?
• Takingdetailedinventory– Processes,Systems,Data,People
• Budgetize,Prioritize,Projectize• ReportingdirectlytoC-levels
KissPNG
SecurityAssessment&GapAnalysis
• CapabilityMaturityModel(CMMI)• CybermaturityPlatform
CMMIInstitute
Level5
Initial
Level1
Processesareunpredictable,poorlycontrolled,reactive.
Managed
Level2
Processesareplanned,documented,performed,monitored,andcontrolledattheprojectlevel.Oftenreactive.
Defined
Level3Processesarewellcharacterizedandunderstood.Processes,standards,procedures,tools,etc.aredefinedattheorganizational(OrganizationX)level.Proactive.
QuantitativelyManaged
Level4Processesarecontrolledusingstatisticalandotherquantitativetechniques.
Optimizing
Processperformancecontinuallyimprovedthroughincrementalandinnovativetechnologicalimprovements.
CMMI–5Levels
WTF-OMGCompliance
HowandWheretoFocus?
TheCybersecurityHubonTwitter
CriticalBusinessProcesses
Apttus
PatchManagementisParamount!
NationalLibraryofAustrailia
DataInventory• What,where,why,when&how• Followthedatatrail• Backups• End-usercomputers• Storagemedia• Archivedapplications• What’sintheCloud?
DataClassification
• Public,Internal,Confidential,Secret• PII:Customer&Employee• DefinedRepositories• CommensurateSecurityLevels• ManagedDataLifeCycle
SecurityPolicy• ComplianceDriven• BusinessDriven• Ownership• 3rdparty• CustomerInput• Training• ControlsDesign&Mapping
– CloudControlsMatrix(CCM)-CloudSecurityAlliance
61-90
BuildingSecureFoundations
SecurityvsSecurityOperations
SecOps
Wordpress
SecurityAwarenessTraining
• BusinessUnitRelevance• JointdeliverywithBU-ISO• Compliancedriven• Sec-Dev-OpsTraining• Relevant3rdPartytraining
ApplicationSecurity• Everycompanyisatechnologycompany
• In-housevs3rdParty• SecureSDLC• Training• yourWebapp!
Verizon2018DBIR
BusinessContinuity
• BusinessProcessDriven• DisasterRecovery– DefinedRTOs&RPOs
• BackupStrategy• DenialofService• Testing
StepupIT
PreparefortheWorst
DataBreachPreparedness• BreachScenarioPlanning• Table-topExercises• DecisionTree• Detection&Logging• ContactLists• Time-to-Notify• Bitcoins?!
DataBreachResponse
Plan
INCASEOFEMERGENCYBREAKGLASS
Customer-FacingSecurity
• SecuringClientServices• SupportingSales• CustomerSecurityCompliance• VendorSecurityQuestionnaires• LegalAgreements–SecurityLanguage
90+
SecurityisaBoard-levelProblem
Andamessagefromthe
• OnNovember1,2018,DataBreachNotificationLawswillbeenforcedinCanada
KEEPCALMDOTHE
RIGHTTHINGANDCYA
TheTribeHasSpoken…
NOT ME
ChiefI’mtheScapegoatOfficer
Questions?