SESSION ID:
#RSAC
Frank Kim
Ten Tenets of CISO Success
STR-W04
#RSAC
#1 Catch the Culture
# R S AC
Organizational Culture
3
Culture eats strategy for breakfast.- Peter Drucker
#RSAC
#2 Relate to Risk
# R S AC
Business Risk
5
First Website
1995 2000 2005 2010 2015
Mobile DevicesGlobal Network
Wireless NetworkMobile Payments
Cloud ComputingBig Data
First Mobile App
Internet of Things
Basic ThreatsInsider Threats
Partners
Organized Crime
Activists
Edward Snowden
Advanced Persistent ThreatsStuxnetNation States
Year of the Breach
Technology
Threats
Sop
hist
icat
ion
$1 TrillionCost of Cyber
crime
- World Economic Forum
Graphic credit: Omar Khawaja
#RSAC
#3 Create Credibility
# R S AC
Creating Credibility
7
A big part of being believable and building our trust is showing us how we compare to competitors, other industries, some kind of
standards or benchmarks.- Board Member
#RSAC
#4 Shape the Strategy
# R S AC
Identifying a Security Framework
9
Security frameworks provide a blueprint forBuilding security programsManaging riskCommunicating about security
Many frameworks share common security conceptsCommon program frameworks include:
ISO 27000 Series 27001 ISMS requirements 27002 Code of practice 27003 Implementation guidance 27004 Measurement
COBIT ENISA Evaluation Framework FFIEC Cybersecurity Assessment Tool NIST Cybersecurity Framework
# R S AC
NIST Cybersecurity Framework
10
Composed of three partsCore, Implementation Tiers, Profiles
Defines a common language for managing security risk
Core has five Functions that provide a high-level, strategic view of the security life cycle
Helps organizations ask:What are we doing today?How are we doing?Where do we want to go?When do we want to get there?
Identify
Protect
Detect
Respond
Recover
# R S AC
Maturity Comparison Example
11
0 1 2 3 4 5
Recover
Respond
Detect
Protect
Identify
Current stateTarget state
Lagging Industry Leading
#RSAC
#5 Deliver the Deal
# R S AC
Mapping to Strategic ObjectivesFinancial/Stewardship
Customer/Stakeholder
InternalBusinessProcess
Organizational Capacity orSecurity Capability
Increased profitability
Increased revenue
Lower waittimes
Increase processefficiency
Lower cycletimes
Improved knowledge& skills
Improved tools & technology
Business innovation/new product support
Improved compliance &
regulatoryImproved
satisfaction
Improved availability & resiliency
Lower costs
# R S AC
Provide Options
14
Highlight trade-offs with business value, risk reduction, cost
Option A
$
Business value
Risk reduction
Cost
Option B
$$
Option C
$$$
#RSAC
#6 Invest in Individuals
# R S AC
Putting Leadership Into PerspectiveBoss Manager Leader
Drives people Manages things Coach, mentor, and grow people
Thinks short-term Thinks mid-term Thinks long-term
Focused on self Focused on process Focused on people
Instills fear Earns respect Generates enthusiasm
Says I Says Our Says We
Micromanages Delegates Motivates
Places blame on roadblocks Navigates roadblocks Removes roadblocks
Dictates how its done Shows how its done Influences how its done
Takes credit Shares credit Gives credit
Commands Asks Influences
Says Go Says Lets go Says Way to go
# R S AC
Career Management P.I.E.
17
Everyone should have a piece of the P.I.E.Performance
Perform exceptionally well
ImageCultivate the proper image
ExposureManage their exposure so the right people will know them
#RSAC
#7 Make Metrics Matter
# R S AC
Metrics Hiearchary
Strategic
Operational
Technical
Focus & actions increase as you move up the pyramid
Volume of information increases as you move down the pyramid
FocusData
ImplementationCharts
& Graphs
TypeMeasures
FocusAnalysis
& Trends
ImplementationSecurity
Dashboard
TypeMetrics
FocusStrategic
Objectives
ImplementationBalanced
Scorecard
TypeKPIs
# R S AC
Balanced Scorecard Example
20
Financial/Stewardship Customer / Stakeholder Internal Business ProcessQ4 % Product Development Budget Allocated to
SecurityQ4 % of Products Delivered On Time and On
BudgetQ4 % of Developers Training in Secure Coding
Principles
Target 5% Trend
Increased support for legal as they piloted their case management system
Target 95% Trend
18% increase over Q3 in on-time and on budget delivery. Security staffed temporary PMO team to meet goal
Target 95% Trend
100% of flagship application developers completed training reducing overall risk to organization
Q4 & YTD Security Budget Allocation Customer Satisfaction Q4 % of Developers Attaining Certification
Target 90% Trend
8% increase over Q3 in customer satisfactionrating of 4 or higher out of 5 possible
Target 95% Trend
Mitigation plan: Follow-up with developers after training is complete for certification
5% 95% 97%
85% 42%
DIFF_Met_Meas_KPI
#, % of unauthorized devices2,57428%
#, % of authorized devices6,72472%
Total9,298.00100%
JanFebMar
#, % of unauthorized devices1,4323,4272,574
#, % of authorized devices6,6596,6596,724
Total8,09110,0869,298
MonTueWedThurFriSatSun
Avg. time to remediate (hours)4.72.485.23.71011
Upper Control Limit (hours)6666666
Lower Control Limit (hours)1111111
1,440 Minutes (1 Day) 1,440 Minutes (1 Day) 10,080 Minutes (1 Week)
#, % of unauthorized devices#, % of authorized devices25746724
#, % of authorized devicesJanFebMar665966596724#, % of unauthorized devicesJanFebMar143234272574TotalJanFebMar8091100869298Avg. time to remediate (hours)MonTueWedThurFriSatSun4.72.485.23.71011Upper Control Limit (hours)MonTueWedThurFriSatSun6666666Lower Control Limit (hours)MonTueWedThurFriSatSun1111111
#, % of unauthorized devices#, % of authorized devices25746724
#, % of authorized devicesJanFebMar665966596724#, % of unauthorized devicesJanFebMar143234272574TotalJanFebMar8091100869298Avg. time to remediate (hours)MonTueWedThurFriSatSun4.72.485.23.71011Upper Control Limit (hours)MonTueWedThurFriSatSun6666666Lower Control Limit (hours)MonTueWedThurFriSatSun1111111
#, % of unauthorized devices#, % of authorized devices25746724
#, % of authorized devicesJanFebMar665966596724#, % of unauthorized devicesJanFebMar143234272574TotalJanFebMar8091100869298Avg. time to remediate (hours)MonTueWedThurFriSatSun4.72.485.23.71011Upper Control Limit (hours)MonTueWedThurFriSatSun6666666Lower Control Limit (hours)MonTueWedThurFriSatSun1111111
Dashboard Examples
Q1Q2Q3Q4
% Budget2%3%5%5%4%
Target5%5%5%5%
Previous year2%3%3%3%
$ 21,900.00$ 22,119.00$ 22,340.1927%21%34%
Q1Q2Q3Q459%58%51%
Budget$2,190,000$2,211,900$2,234,019$2,256,359$8,892,27814%21%14%
Actuals$2,491,000$2,232,000$2,042,000$2,123,000$8,888,000100%100%100%
Products$575,000$597,000$425,000$732,000$2,329,000
Services$1,590,000$1,320,000$1,190,000$1,090,000$5,190,000
Training$326,000$315,000$427,000$301,000$1,369,000
% of products delivered on time and on budget
Q1Q2Q3Q4
Actual43%75%80%98%74%
Lower 55%55%55%55%55%
Upper 95%95%95%95%95%$ 8,888,000.00
$ 2,123,000.00
$ 2,256,359.00
Customer Satisfaction
Q1Q2Q3Q4Q1Q2Q3Q4YTDYTD
Actual30%37%77%85%Products$575,000$597,000$425,000$732,000$2,329,000
Lower 65%65%65%65%65%Services$1,590,000$1,320,000$1,190,000$1,090,000$5,190,000
Upper 90%90%90%90%90%Training$326,000$315,000$427,000$301,000$1,369,000
Actuals$2,491,000$2,232,000$2,042,000$2,123,000$8,888,000
Budget$2,190,000$2,211,900$2,234,019$2,256,359$8,892,278
$ Variance-$301,000-$20,100$192,019$133,359$4,278
Q1Q2Q3Q4
% Devolopers trained12%30%75%97%
% Developers Not trained88%70%25%3%BudgetQ4 ActualsYTD ActualsVariance
Lower 75%75%75%75%75%Products$2,328,600$732,000$2,329,000-$400
Upper 95%95%95%95%95%Services$5,192,000$1,090,000$5,190,000$2,000
Training$1,371,678$301,000$1,369,000$2,678
Rollup$8,892,278$2,123,000$8,888,000$4,278
Q1Q2Q3Q4$4,446.14
% Devolopers certified3%15%37%42%
% Developers Not certified97%85%63%58%0.00004
Lower 75%75%75%75%75%
Upper 95%95%95%95%95%
Note: Used the same data for slide 9 example of Metrics, measure and KPI
% of authorized vs. Unauthorized devices on the nework, Average time to remove
Q1Q2Q3Q4
# Unauthorized Devices7,4337,3277,3349,792
# Authorized Devices20,04220,05720,06220,067
Total27,47527,38427,39629,859
MonTueWedThurFriSatSunSBH
Avg. time to remediate (hours)4.72.485.23.710116.43
Upper Control Limit (hours)6666666
Lower Control Limit (hours)1111111
Q1Q2Q3Q4
Avg. time to remediate (hours)6.435.25.19.7
Upper Control Limit (hours)6666
Lower Control Limit (hours)1111
Application Vulnerability Scanning Coverage
Q1Q2Q3Q4
Scanned2,137227622822292
Not Scanned275142152157
Total2,4122,4182,4342,449
# Known VulnerabilitiesCurrent Scan
Critical/High42
Med572
Low1,127
1,741
Open Vulnerability Findings by Age
< 30 days1,106
31 - 60 days427
Over 61 Days208
1,741
Top Vulns Greater than 60 days
Cross Site Scripting84
URL Redirect76
Misconfiguration43
Other5208
208
Server Vulnerabilities Detected
HighMediumLow
No Known Exploit765,00097,00027,000
Possible Exploit175,00085,00012,000
940,000182,00039,0001,161,000
Possible Exploit By Region
HighMediumLow
London24,68035,4291,86261,971
Tokyo25,32014,2766,70546,301
New York125,00035,2953,433163,728
175,00085,00012,000272,000
000-272,000
Mitigated HighNon Mitigated High
# R S AC
Security Capability Example
21
Security Capability Status Trend Highlights
Identify: Manage risk to systems, assets, data, and capabilities Yellow
32% increase in unauthorized devices 29% IT 3 % HR
27% increase in unauthorized software Attributed to Q4 BYOD pilot
Protect: Ensure delivery of critical infrastructure services Green
12% of users failed sponsored email phishing tests 15% of employees have not passed security awareness
assessments
Detect: Identify occurrence of a cybersecurity event Green 27% decrease in elevated access accounts 275 total elevated access accounts
Respond: Take action regarding a detected cybersecurity event Green
5% of database systems with sensitive information have not been scanned by vulnerability scanners
Recover: Maintain plans for resilience and to restore any capabilities or services that were impaired due to cybersecurity event
Red 34% of systems not enabled with up to date anti-
malware Attributed to Q4 BYOD pilot
#RSAC
#8 Master Your Message
# R S AC
Effective Communications
23
Security people dont speak our language. In fact, at each briefing they seem to speak
a different language.- Board Member
# R S AC
24
#RSAC
#9 Champion Change
# R S AC
Breaking Down the Walls
26
AgileBreak down walls between development and the business
DevOpsBreak down walls between development and operations
SecDevOpsBreak down walls between security and development, operations, business
# R S AC
Improve Effectiveness
27
#RSAC
#10 Solve Business Problems
# R S AC
Evolution of Security Leadership
IT SecurityIT Security
Old School
New School
Risk Management
Regulatory, Compliance,Legal, Privacy
Business Savvy
Graphic credit: https://www.rsaconference.com/writable/presentations/file_upload/prof-m07-from-cave-man_to-business-man-the-evolution-of-the-ciso-to-ciro.pdf
Technology Focus
Business Focus
# R S AC
# R S AC
Ten Tenets of CISO Success
31
Create Credibility
Catch the Culture
Relate to Risk
Shape the Strategy
Deliver the Deal
#1
#2
#3
#4
#5
Invest in Individuals
Make Metrics Matter
Master Your Message
Champion Change
Solve Business Problems
#6
#7
#8
#9
#10
#RSAC
Frank [email protected]
Material based on SANS MGT514Security Strategic Planning, Policy, and Leadership
Ten Tenets of CISO SuccessSlide Number 2Organizational CultureSlide Number 4Business RiskSlide Number 6Creating CredibilitySlide Number 8Identifying a Security FrameworkNIST Cybersecurity FrameworkMaturity Comparison ExampleSlide Number 12Mapping to Strategic ObjectivesProvide OptionsSlide Number 15Putting Leadership Into PerspectiveCareer Management P.I.E.Slide Number 18Metrics HiearcharyBalanced Scorecard ExampleSecurity Capability ExampleSlide Number 22Effective CommunicationsSlide Number 24Slide Number 25Breaking Down the WallsImprove EffectivenessSlide Number 28Evolution of Security LeadershipSlide Number 30Ten Tenets of CISO SuccessFrank [email protected]