17
2016 Central Ohio InfoSec Summit 1 Keith Fricke, MBA, CISSP, PMP Principal Consultant tw-Secuity [email protected] 216-280-4430 CISO for an Hour
| Date post: | 20-Jan-2017 |
| Category: |
Technology |
| Upload: | centralohioissa |
| View: | 657 times |
| Download: | 1 times |
2016 Central Ohio InfoSec Summit
1
Keith Fricke, MBA, CISSP, PMPPrincipal Consultant
216-280-4430
CISO for an Hour
Speaker Background• 30 years in Information Technology• 16 years in healthcare information security• Certified Information Systems Security Professional (CISSP)• Project Management Professional (PMP)• Former Chief Information Security Officer for Mercy Health
(Ohio)• Managed security for Cleveland Clinic’s 9 community
hospitals• Board member of Cleveland InfraGard
Learning Objectives• Gain an understanding of tips in getting a CISO job• Gain awareness of the key actions to take early in
your new position• Become familiar with important non-technical
tasks in the role• Pick up some words of wisdom
Setting Expectations• Primary audience: technical or manager-level folks
looking to promote into CISO / ISO / Director role• Past and present CISOs may pick up a few tips too• No guarantees in securing the role• Designed to provide insight
Getting the Job• Focus on leadership experience (can you lead?)• Focus on project management experience (can you
deliver?)• Questions to ask:
o Corporate initiativeso Security initiatives in flight and on the bookso Expectations for first 90 dayso Management style of your bosso Where security sits in the org chart
The First 90 Days• Confirm expectations• Are you taking over an existing program or
building a new one?• Risk Assessments• Identify budget• Building strategic relationships• “What do I need to know about interacting with
the locus of power?”
Building a New Program• Define Org Chart• Create a Services Catalog• Use past risk assessments & identify methodology• Conduct risk assessments if none are available• Inventory security technology• Understand operational ownership of security
technology
Communications• Interacting with C-level
o Emailo Meetingso Phoneo Text
• Clear, Concise• Learning how much detail is enough based on the
communication medium
Communications• Building relationships
o Example: FAIR• Direct reports and department• Join committees• Start committees
Budget 101• Fiscal year vs. Calendar year• CapEx vs. Opex
o Forecasting gotchaso Accruals
• Capitalizing labor• Managing a cost center• Know the style of budget accountability
o Slusho To the Penny
• Tips on preparing for Q1, Q2 and Q4
Department Meetings• Building relationships• Recommendations of frequency
o Keeping geographic disparity in mind
• The meeting agenda• Celebrating
Running an Effective Meeting• Agenda
o Sending it outo Format
• Crucial reasons to take minutes• Creating a parking lot – why this is a great idea• Gaining consensus – a tip
Performance Reviews• Goal Setting
o Aligning with companyo Aligning with departmento Aligning with the individualo Some may be tied to engagement survey results
• Documentation is so critical• Career paths
Projects• Learn how to do project management time
forecasting• The two most difficult security projects in my
opinion• Expect projects to take time• Expect security program maturity to take time• Reduction in Force affecting project schedules• Career paths
Some Tips• Missing the boat when it comes to opportunity• Innovative thinking can sometimes pay you back
handsomely• Building a peer network • One of the most important aspects to develop in
your security program….
Incident Response• Have plans• Test the plans• Tap into expertise where and when you need it
o My sidebar opinions on forensics• Strengthen those relationships mentioned earlier
