ciso 90 day plan
play

CISO 90 Day Plan Nelson Chen, M.SC. IT CISSP, CISA, CISM Agenda - PowerPoint PPT Presentation

Nov 28, 2023 •238 likes •675 views

CISO 90 Day Plan Nelson Chen, M.SC. IT CISSP, CISA, CISM Agenda Why are we here? Days 0 30 Days 31 60 Days 61 90 Days 90+ Infinity & Beyond Avoiding Really Bad News! <Your Company Name Here> Data

  1. CISO 90 Day Plan Nelson Chen, M.SC. IT CISSP, CISA, CISM

  2. Agenda • Why are we here? • Days 0 – 30 • Days 31 – 60 • Days 61 – 90 • Days 90+ • Infinity & Beyond

  3. Avoiding Really Bad News! <Your Company Name Here> Data Breach!

  4. Don’t be the Blocker! E B Y A M

  5. Don’t be the Prophet of Doom

  6. Toughest Part of the Job

  7. CISO Post-Breach

  8. Establishing Relationships & Trust 0 - 30

  9. Selling CISO as a Service • Business enablement • FUD is not the only pitch • Education • Shared responsibility • Get support and buy-in • Add Value!

  10. Taking Initial Inventory • Organizational Structure - Who’s who – Execs, BU Leaders, IT Ops, Internal Audit • Existing Policies, Processes, etc. • Existing Technologies • Where’s the Data? • Historical Security Incidents • Shadow IT

  11. Leading Towards Better Security

  12. Servant Leadership

  13. Security Surrounds us, Penetrates us and Binds us Together

  14. Prioritizing & Project Kickoff 31 - 60

  15. Back to Basics - CIA Triad Keeping it secret Keeping it together Keeping it up Central Oregon Community College

  16. Fox-in or Fox-out?

  17. Team or Committee?

  18. Security Team Building • BU InfoSec Officers – Legal, Finance, Sales, Marketing, HR, Development, IT, etc • Committee driven • Executive sponsor • Internal audit is your friend • Where are all the resources? KissPNG

  19. Security Committee Goals • Business Security Mission Statement • Aligning security with each BU - what are we protecting? • Taking detailed inventory – Processes, Systems, Data, People • Budgetize, Prioritize, Projectize • Reporting directly to C-levels KissPNG

  20. Security Assessment & Gap Analysis • Capability Maturity Model (CMMI) • Cybermaturity Platform

  21. CMMI – 5 Levels Process performance continually Level 5 improved through incremental and innovative technological Optimizing improvements. Level 4 Processes are controlled using statistical Quantitatively and other quantitative techniques. Managed Level 3 Processes are well characterized and understood. Processes, standards, procedures, tools, etc. are Defined defined at the organizational (Organization X ) level. Proactive. Level 2 Processes are planned, documented, performed, monitored, Managed and controlled at the project level. Often reactive. Level 1 Initial Processes are unpredictable, poorly controlled, reactive. CMMI Institute

  22. WTF-OMG Compliance

  23. How and Where to Focus? The Cybersecurity Hub on Twitter

  24. Critical Business Processes Apttus

  25. Patch Management is Paramount! National Library of Austrailia

  26. Data Inventory • What, where, why, when & how • Follow the data trail • Backups • End-user computers • Storage media • Archived applications • What’s in the Cloud?

  27. Data Classification • Public, Internal, Confidential, Secret • PII: Customer & Employee • Defined Repositories • Commensurate Security Levels • Managed Data Life Cycle

  28. Security Policy • Compliance Driven • Business Driven • Ownership • 3 rd party • Customer Input • Training • Controls Design & Mapping – Cloud Controls Matrix (CCM) - Cloud Security Alliance

  29. Building Secure Foundations 61 - 90

  30. Security vs Security Operations SecOps Wordpress

  31. Security Awareness Training • Business Unit Relevance • Joint delivery with BU-ISO • Compliance driven • Sec-Dev-Ops Training • Relevant 3 rd Party training

  32. Application Security Verizon 2018 DBIR • Every company is a technology company • In-house vs 3 rd Party • Secure SDLC • Training • your Webapp!

  33. Business Continuity • Business Process Driven • Disaster Recovery – Defined RTOs & RPOs • Backup Strategy • Denial of Service • Testing Stepup IT

  34. Prepare for the Worst

  35. Data Breach Preparedness • Breach Scenario Planning • Table-top Exercises IN CASE OF • Decision Tree EMERGENCY BREAK GLASS Data Breach • Detection & Logging Response Plan • Contact Lists • Time-to-Notify • Bitcoins?!

  36. Customer-Facing Security • Securing Client Services • Supporting Sales • Customer Security Compliance • Vendor Security Questionnaires • Legal Agreements – Security Language

  37. 90+

  38. Security is a Board-level Problem

  39. And a message from the • On November 1, 2018, Data Breach Notification Laws will be enforced in Canada

  40. KEEP CALM DO THE RIGHT THING AND CYA

  41. The Tribe Has Spoken … NOT ME NOT ME

  42. Chief I’m the Scapegoat Officer Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Digital Guardian CISO Mentoring Webinar Series Landing Your First CISO Job 1 About Steve Katz

Digital Guardian CISO Mentoring Webinar Series Landing Your First CISO Job 1 About Steve Katz

Digital Guardian CISO Mentoring Webinar Series Landing Your First CISO Job 1 About Steve Katz Recognized as the Worlds First CISO. Wealth of experience including Citigroup, JP Morgan, Deloitte, and Kaiser Permanente

379 views • 26 slides
Mentoring Webinar Series Stories From the CISO Trenches 1 About Larry Brock Principal at

Mentoring Webinar Series Stories From the CISO Trenches 1 About Larry Brock Principal at

Digital Guardian CISO Mentoring Webinar Series Stories From the CISO Trenches 1 About Larry Brock Principal at Brock Cyber Security Consulting LLC Former Global Chief Information Security Officer (CISO) at DuPont (11 years) Held

532 views • 31 slides
phase plan to prepare your business today Jaya Baloo CISO KPN #teissamsterdam19 The Quantum

phase plan to prepare your business today Jaya Baloo CISO KPN #teissamsterdam19 The Quantum

14:30 14:50 The Quantum Threat and a three- phase plan to prepare your business today Jaya Baloo CISO KPN #teissamsterdam19 The Quantum Project Jaya Baloo 16/5/2019 What type of problems can we solve with a Quantum Computer Moore

649 views • 18 slides
CIO / CISO perspectives Challenges and opportunities Trond Ellefsen Head of IT Statoil

CIO / CISO perspectives Challenges and opportunities Trond Ellefsen Head of IT Statoil

CIO / CISO perspectives Challenges and opportunities Trond Ellefsen Head of IT Statoil Development and Production North America 2012-11-26 CISO keynote 1 Content and perspective 2 Common threats and the new Art of war 3 Weapons of mass

425 views • 18 slides
EVOLUTION OF THE CISO And the Confluence of IT Security &amp; Audit Thomas Borton, MBA, CISA,

EVOLUTION OF THE CISO And the Confluence of IT Security &amp; Audit Thomas Borton, MBA, CISA,

EVOLUTION OF THE CISO And the Confluence of IT Security &amp; Audit Thomas Borton, MBA, CISA, CISM, CRISC, CISSP Director, IT Security &amp; Compliance 13 March 2014 AGENDA 1. Introduction 2. Evolution of the CISO: Past, Present &amp; Future

200 views • 18 slides
HOMELAND SECURITY: CYBER-SECURITY AT THE LOCAL LEVEL Kirk Bailey, CISSP, CISM CISO, UW Ernie

HOMELAND SECURITY: CYBER-SECURITY AT THE LOCAL LEVEL Kirk Bailey, CISSP, CISM CISO, UW Ernie

HOMELAND SECURITY: CYBER-SECURITY AT THE LOCAL LEVEL Kirk Bailey, CISSP, CISM CISO, UW Ernie Hayden, CISSP CISO, Port of Seattle HOW BIG IS THE JOB? WHAT IS INVOLVED (THE SCOPE OF IT)? WHAT ARE THE TOUGH CHALLENGES? WHAT DOES THE FUTURE

377 views • 36 slides
BCNET Shared CISO Wency Lum, Farooq Naiyer and Ivor MacKay Speakers: Wency Lum CIO University

BCNET Shared CISO Wency Lum, Farooq Naiyer and Ivor MacKay Speakers: Wency Lum CIO University

Conference 2018 Conference 2018 BCNET Shared CISO Wency Lum, Farooq Naiyer and Ivor MacKay Speakers: Wency Lum CIO University of Victoria, Chair of the Cybersecurity and Identity Management Services Committee Farooq Naiyer Shared CISO at

458 views • 24 slides
Zero Trust &amp; The Flaming Sword of Justice Dave Lewis, Global Advisory CISO September 26th,

Zero Trust &amp; The Flaming Sword of Justice Dave Lewis, Global Advisory CISO September 26th,

Zero Trust &amp; The Flaming Sword of Justice Dave Lewis, Global Advisory CISO September 26th, 2018 Please Allow Me To Introduce Myself.. #WHOAMI Dave Lewis, Global Advisory CISO Castles Dont Scale Dont trust something just because

880 views • 44 slides
Your web server has been hacked now what? Archzilon Eshun-Davies (@laudarch)_ CISO/CEO Tactical

Your web server has been hacked now what? Archzilon Eshun-Davies (@laudarch)_ CISO/CEO Tactical

Your web server has been hacked now what? Archzilon Eshun-Davies (@laudarch)_ CISO/CEO Tactical Intelligence Security OWASP Ghana 2019 Who is this talk for? - Individuals, developers and sys admins. Are you sure youve been hacked? Q1:

247 views • 11 slides
STRATEGIES FOR SECURITY: WHEN, WHY, HOW Adam Ely adam@bluebox.com www.bluebox.com @BlueboxSec

STRATEGIES FOR SECURITY: WHEN, WHY, HOW Adam Ely adam@bluebox.com www.bluebox.com @BlueboxSec

STRATEGIES FOR SECURITY: WHEN, WHY, HOW Adam Ely adam@bluebox.com www.bluebox.com @BlueboxSec About ME About ME Experience Co-founder Bluebox Security CISO, Heroku CISO, TiVo Walt Disney . Other nifty stuff Coded

465 views • 21 slides
BroCon 2015 Welcome Adam Slagell NCSA CISO &amp; CyberSec Div. Director August 4 th , 2015

BroCon 2015 Welcome Adam Slagell NCSA CISO &amp; CyberSec Div. Director August 4 th , 2015

BroCon 2015 Welcome Adam Slagell NCSA CISO &amp; CyberSec Div. Director August 4 th , 2015 National Center for Supercomputing Applications University of Illinois at UrbanaChampaign Lets thank some people Harry Hoffman &amp; MIT

221 views • 19 slides
Heller Information Security Meeting: Year 1 at Brandeis Michael Corn DCIO and CISO

Heller Information Security Meeting: Year 1 at Brandeis Michael Corn DCIO and CISO

Heller Information Security Meeting: Year 1 at Brandeis Michael Corn DCIO and CISO http://blogs.brandeis.edu/insights Library and Technology Services Whats new at LTS? Coming soon: a new social sciences librarian, a web team member

158 views • 12 slides
Tomasz ciso Software Engineer Samsung R&amp;D Center Poland The Earth Guard development

Tomasz ciso Software Engineer Samsung R&amp;D Center Poland The Earth Guard development

Highly portable HTML5 games on Tizen Developer Conference May 2013 San Francisco USA Tomasz ciso Software Engineer Samsung R&amp;D Center Poland The Earth Guard development story Code once - for Tizen and deploy your application on

350 views • 15 slides
Quali&amp;es of an Effec&amp;ve CISO Miguel (Mike) O. Villegas CISA, CISSP, GSEC, CEH, PCI QSA,

Quali&amp;es of an Effec&amp;ve CISO Miguel (Mike) O. Villegas CISA, CISSP, GSEC, CEH, PCI QSA,

Quali&amp;es of an Effec&amp;ve CISO Miguel (Mike) O. Villegas CISA, CISSP, GSEC, CEH, PCI QSA, PA-QSA Vice President- K3DES LLC mike.villegas@k3des.com November 13, 2015 2015 IIA-Orange County 1 Abstract Hiring a Chief Informa?on Security

642 views • 31 slides
Stefan Hager Brief introduction Stefan Hager Bryan K Fite @khae @BryanFite Global CISO by day

Stefan Hager Brief introduction Stefan Hager Bryan K Fite @khae @BryanFite Global CISO by day

Bryan K Fite Stefan Hager Brief introduction Stefan Hager Bryan K Fite @khae @BryanFite Global CISO by day Works for DATEV eG and Packet Master in Germany @ night Why are we doing this talk? How Cyber impacts the physical domain Bad

532 views • 23 slides
CYBERSECURITY Cultural Change to Support the Business Sandra E. Paul-Blanc, CISO NARA Dr. Philip

CYBERSECURITY Cultural Change to Support the Business Sandra E. Paul-Blanc, CISO NARA Dr. Philip

CYBERSECURITY Cultural Change to Support the Business Sandra E. Paul-Blanc, CISO NARA Dr. Philip Kulp, Cybersecurity Consultant, NARA Agenda Cybersecurity culture Layered security Incident Response Challenges with public systems

364 views • 32 slides
IOT AND SMART CITIES Sokwoo Rhee Associate Director of Cyber-Physical Systems Program National

IOT AND SMART CITIES Sokwoo Rhee Associate Director of Cyber-Physical Systems Program National

NIST IOT AND SMART CITIES Sokwoo Rhee Associate Director of Cyber-Physical Systems Program National Institute of Standards and Technology (NIST) US Department of Commerce NIST Integrated, hybrid networks of cyber and engineered physical

361 views • 25 slides
Security Standards Information Security Prof Hans Georg Schaathun Hgskolen i lesund Autumn

Security Standards Information Security Prof Hans Georg Schaathun Hgskolen i lesund Autumn

Security Standards Information Security Prof Hans Georg Schaathun Hgskolen i lesund Autumn 2011 Week 4 Prof Hans Georg Schaathun Security Standards Autumn 2011 Week 4 1 / 1 Evolution of Standards Outline Prof Hans Georg

521 views • 36 slides
Introduction to cybersecurity for Generalists James Davenport University of Bath 16 May 2019

Introduction to cybersecurity for Generalists James Davenport University of Bath 16 May 2019

Introduction to cybersecurity for Generalists James Davenport University of Bath 16 May 2019 James Davenport Introduction to cybersecurity for Generalists 1 / 16 CM50209: Security and Integrity Course is 6 ECTS (12 CATS) credits, in Semester

394 views • 16 slides
Phishing: New Internet Financial Fraud Trend by Yuejin Du CNCERT/CC Feb. 24 th . 2005 APRICOT

Phishing: New Internet Financial Fraud Trend by Yuejin Du CNCERT/CC Feb. 24 th . 2005 APRICOT

Phishing: New Internet Financial Fraud Trend by Yuejin Du CNCERT/CC Feb. 24 th . 2005 APRICOT www.cert.org.cn Attendee Investigation National Computer network Emergency Response technical Team/Coordination Center of China Contents

374 views • 21 slides
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of

1.09k views • 34 slides
forensics tries to reconstruct and explain activities and events their actors and participants

forensics tries to reconstruct and explain activities and events their actors and participants

forensics tries to reconstruct and explain activities and events their actors and participants causes consequences individual forensic procedures in the best case can only provide parts of the puzzle for the whole

299 views • 16 slides
Systems Security Final Class! (SysSec) Systems Security - Spring 2020 So what did I learn?

Systems Security Final Class! (SysSec) Systems Security - Spring 2020 So what did I learn?

Systems Security Final Class! (SysSec) Systems Security - Spring 2020 So what did I learn? Experiences Learned concepts covered in class in a hands-on virtual environment Extra competition to gain additional insight Lockdown v8!

496 views • 13 slides
Remote Forensic Investigations (In the Context of COVID-19) Xavier Mertens | PTS20 | July 2020

Remote Forensic Investigations (In the Context of COVID-19) Xavier Mertens | PTS20 | July 2020

Remote Forensic Investigations (In the Context of COVID-19) Xavier Mertens | PTS20 | July 2020 Whos Talking? Xavier Mertens (@xme) 3rd time speaker @ PTS Freelance based in Belgium Blueteamer SANS ISC Senior Handler

427 views • 32 slides

More recommend