CISO 90 Day Plan Nelson Chen, M.SC. IT CISSP, CISA, CISM Agenda - - PowerPoint PPT Presentation

ciso 90 day plan
SMART_READER_LITE
LIVE PREVIEW

CISO 90 Day Plan Nelson Chen, M.SC. IT CISSP, CISA, CISM Agenda - - PowerPoint PPT Presentation

Nov 28, 2023 238 likes •676 views

CISO 90 Day Plan Nelson Chen, M.SC. IT CISSP, CISA, CISM Agenda Why are we here? Days 0 30 Days 31 60 Days 61 90 Days 90+ Infinity & Beyond Avoiding Really Bad News! <Your Company Name Here> Data

slide-1
SLIDE 1

CISO 90 Day Plan

Nelson Chen, M.SC. IT CISSP, CISA, CISM

slide-2
SLIDE 2

Agenda

  • Why are we here?
  • Days 0 – 30
  • Days 31 – 60
  • Days 61 – 90
  • Days 90+
  • Infinity & Beyond
slide-3
SLIDE 3

Avoiding Really Bad News!

<Your Company Name Here> Data Breach!

slide-4
SLIDE 4

Don’t be the Blocker!

M A Y B E

slide-5
SLIDE 5

Don’t be the Prophet of Doom

slide-6
SLIDE 6

Toughest Part of the Job

slide-7
SLIDE 7

CISO Post-Breach

slide-8
SLIDE 8

0 - 30

Establishing Relationships & Trust

slide-9
SLIDE 9

Selling CISO as a Service

  • Business enablement
  • FUD is not the only pitch
  • Education
  • Shared responsibility
  • Get support and buy-in
  • Add Value!
slide-10
SLIDE 10

Taking Initial Inventory

  • Organizational Structure - Who’s who

– Execs, BU Leaders, IT Ops, Internal Audit

  • Existing Policies, Processes, etc.
  • Existing Technologies
  • Where’s the Data?
  • Historical Security Incidents
  • Shadow IT
slide-11
SLIDE 11

Leading Towards Better Security

slide-12
SLIDE 12

Servant Leadership

slide-13
SLIDE 13

Security Surrounds us, Penetrates us and Binds us Together

slide-14
SLIDE 14

31 - 60

Prioritizing & Project Kickoff

slide-15
SLIDE 15

Back to Basics - CIA Triad

Keeping it secret Keeping it together

Central Oregon Community College

Keeping it up

slide-16
SLIDE 16

Fox-in or Fox-out?

slide-17
SLIDE 17

Team or Committee?

slide-18
SLIDE 18

Security Team Building

  • BU InfoSec Officers – Legal, Finance, Sales,

Marketing, HR, Development, IT, etc

  • Committee driven
  • Executive sponsor
  • Internal audit is your friend
  • Where are all the resources?

KissPNG

slide-19
SLIDE 19

Security Committee Goals

  • Business Security Mission Statement
  • Aligning security with each BU
  • what are we protecting?
  • Taking detailed inventory

– Processes, Systems, Data, People

  • Budgetize, Prioritize, Projectize
  • Reporting directly to C-levels

KissPNG

slide-20
SLIDE 20

Security Assessment & Gap Analysis

  • Capability Maturity Model (CMMI)
  • Cybermaturity Platform
slide-21
SLIDE 21

CMMI Institute

Level 5 Initial Level 1 Processes are unpredictable, poorly controlled, reactive. Managed Level 2 Processes are planned, documented, performed, monitored, and controlled at the project level. Often reactive. Defined Level 3 Processes are well characterized and understood. Processes, standards, procedures, tools, etc. are defined at the organizational (Organization X ) level. Proactive. Quantitatively Managed Level 4 Processes are controlled using statistical and other quantitative techniques. Optimizing Process performance continually improved through incremental and innovative technological improvements.

CMMI – 5 Levels

slide-22
SLIDE 22

WTF-OMG Compliance

slide-23
SLIDE 23

How and Where to Focus?

The Cybersecurity Hub on Twitter

slide-24
SLIDE 24

Critical Business Processes

Apttus

slide-25
SLIDE 25

Patch Management is Paramount!

National Library of Austrailia

slide-26
SLIDE 26

Data Inventory

  • What, where, why, when & how
  • Follow the data trail
  • Backups
  • End-user computers
  • Storage media
  • Archived applications
  • What’s in the Cloud?
slide-27
SLIDE 27

Data Classification

  • Public, Internal, Confidential, Secret
  • PII: Customer & Employee
  • Defined Repositories
  • Commensurate Security Levels
  • Managed Data Life Cycle
slide-28
SLIDE 28

Security Policy

  • Compliance Driven
  • Business Driven
  • Ownership
  • 3rd party
  • Customer Input
  • Training
  • Controls Design & Mapping

– Cloud Controls Matrix (CCM) - Cloud Security Alliance

slide-29
SLIDE 29

61 - 90

Building Secure Foundations

slide-30
SLIDE 30

Security vs Security Operations

SecOps Wordpress

slide-31
SLIDE 31

Security Awareness Training

  • Business Unit Relevance
  • Joint delivery with BU-ISO
  • Compliance driven
  • Sec-Dev-Ops Training
  • Relevant 3rd Party training
slide-32
SLIDE 32

Application Security

  • Every company is a

technology company

  • In-house vs 3rd Party
  • Secure SDLC
  • Training
  • your Webapp!

Verizon 2018 DBIR

slide-33
SLIDE 33

Business Continuity

  • Business Process Driven
  • Disaster Recovery

– Defined RTOs & RPOs

  • Backup Strategy
  • Denial of Service
  • Testing

Stepup IT

slide-34
SLIDE 34

Prepare for the Worst

slide-35
SLIDE 35

Data Breach Preparedness

  • Breach Scenario Planning
  • Table-top Exercises
  • Decision Tree
  • Detection & Logging
  • Contact Lists
  • Time-to-Notify
  • Bitcoins?!

Data Breach Response Plan IN CASE OF EMERGENCY BREAK GLASS

slide-36
SLIDE 36

Customer-Facing Security

  • Securing Client Services
  • Supporting Sales
  • Customer Security Compliance
  • Vendor Security Questionnaires
  • Legal Agreements – Security Language
slide-37
SLIDE 37

90+

slide-38
SLIDE 38

Security is a Board-level Problem

slide-39
SLIDE 39

And a message from the

  • On November 1, 2018, Data Breach

Notification Laws will be enforced in Canada

slide-40
SLIDE 40

KEEP CALM DO THE RIGHT THING AND CYA

slide-41
SLIDE 41

The Tribe Has Spoken …

NOT ME NOT ME

slide-42
SLIDE 42

Chief I’m the Scapegoat Officer

Questions?