quali es of an effec ve ciso
play

Quali&es of an Effec&ve CISO Miguel (Mike) O. Villegas - PowerPoint PPT Presentation

Feb 06, 2024 •315 likes •642 views

Quali&es of an Effec&ve CISO Miguel (Mike) O. Villegas CISA, CISSP, GSEC, CEH, PCI QSA, PA-QSA Vice President- K3DES LLC mike.villegas@k3des.com November 13, 2015 2015 IIA-Orange County 1 Abstract Hiring a Chief Informa?on Security

  1. Quali&es of an Effec&ve CISO Miguel (Mike) O. Villegas CISA, CISSP, GSEC, CEH, PCI QSA, PA-QSA Vice President- K3DES LLC mike.villegas@k3des.com November 13, 2015 2015 IIA-Orange County 1

  2. Abstract Hiring a Chief Informa?on Security Officer (CISO) is a laudable goal. It implies execu?ve management realizes the value of having an execu?ve level posi?on for informa?on security. The CISO is an execu?ve who provides expert guidance to other c-level execu?ves on maOers of risk, compliance and informa?on protec?on from a strategic and tac?cal business objec?ves perspec?ve. Security prac??oners are typically technical in nature but do not generally have access to c-level execu?ves, so the CISO posi?on can help fill in this gap. This session will discuss the quali?es of an effec?ve CISO. This includes educa?on, background, repor?ng structure, focus, responsibili?es, personal quali?es, vision, leadership capabili?es, and technical background. 2 2015 IIA-Orange County

  3. Table of Contents v CISO Resume v Repor&ng Structure v CISO Vision and Responsibili&es v Personal Quali&es v Leadership Quali&es 3 2015 IIA-Orange County

  4. CISO RESUME 2015 IIA-Orange County 4

  5. CISO Survey A survey conducted in July 2014, 203 US-based C-level execu?ves found a startling lack of respect for CISOs in the enterprise. Below are some interes?ng sta?s?cs: • 74 % said they do not believe CISOs deserve a seat at the table and should not be part of an organiza?on's leadership team. • 54 % believe CISOs should not be responsible for cybersecurity purchasing. • 44 % believe CISOs should be accountable for any organiza?onal data breaches. • 28 % said their CISO has made cybersecurity decisions that nega?vely impacted the organiza?on's financial health. Source: hOp://www.threaOracksecurity.com/resources/the-role-of-the-ciso.aspx 5 2015 IIA-Orange County

  6. CISO Resume Ideally, a CISO should have a combina?on of business and technical skills that allow for competent contribu?ons and guidance with both IT and execu?ve management. A successful CISO will be able to incisively translate technical challenges and strategies into business terms. Some specific recommended qualifica?ons for a CISO include: • Degree in accoun?ng or MBA, degree in CIS or Informa?on Security; • CPA, CISSP, CISM, CISA, PMP cer?fica?ons; • CFE, CEH, GPEN, CRISC specialized cer?fica?ons; • Ten years minimum experience as a CISO, informa?on security engineer, or security consultant. Big 4 senior managers or partners from the systems assurance would be an added plus • ISSA, ISACA, (ISC) 2 , OWASP, or CISO forum memberships. 6 2015 IIA-Orange County

  7. Cer&fica&ons vs Experience Many of us have known those that tout technical exper?se because of their long list of cer?fica?ons yet once hired, it does not take long before realiza?on sits in. Hiring a CISO… • Cer&fica&ons get him through the door. • The interview gives him a seat. • The 90-day proba&onary period assures he can stay • His technical abili&es determine what kind of work he can manage • His communica&on skills determine whether he deserves a “seat at the table” (Board) 7 2015 IIA-Orange County

  8. Why not hire within? Security professionals who work within the enterprise have great advantages. • They know the IT environment • They know the business • They have earned cer?fica?ons that are the envy of many • They have established a competent rapport with network engineers and system administrators However, many ?mes the Peter Principle might apply such that the security professional has gone as far as he is capable of. 8 2015 IIA-Orange County

  9. Good CISO Candidates There will always be excep?ons and each candidate should stand on their own. However, below is a list of good candidates for CISO. • Director of Informa?on Security • Internal security professionals • IT Audit Manager • IT Risk Manager • External CISO hire • Big 4 Senior Manager or Partner • Sr. Security Consultant A prophet is not accepted in his own country 9 2015 IIA-Orange County

  10. REPORTING STRUCTURE 2015 IIA-Orange County 10

  11. Repor&ng Structure There are four basic ques?ons in this debate. (1) Should there be a CISO posi?on? (2) Who should the CISO report to? (3) What are the pros and cons for CISO repor?ng structure? (4) Who decides? 11 2015 IIA-Orange County

  12. Should there be a CISO posi&on? The keys to making the CISO role successful are independence, empowerment and posi?on. The CISO needs to be: • Independent of influence or pressure from those affected in the protec?on of corporate assets; • Empowered to deploy all proper levels of protec?on; and • Posi&oned within the organiza?on to embed informa?on security into the business culture. 12 2015 IIA-Orange County

  13. Who should the CISO report to? The survey conducted in July 2014 by ThreatTrackSecurity reported found that: • 47% of CISOs report to their CEO or president • 45% report to the CIO, • 4% to the Chief Compliance Officer, and • less than 2% to the COO or CFO. Source: hOp://www.threaOracksecurity.com/resources/the-role-of-the-ciso.aspx 13 2015 IIA-Orange County

  14. Pros and Cons for CISO Repor&ng Structure Pros: • C-level execu?ve that supports, understands and champions the informa?on security func?on and CISO • This provides the CISO independence, ability to disagree and empowerment to deploy the informa?on security program Cons: • Where the CISO reports to is situa?onal • He might lose contact, credibility, coopera?on and empowerment to control the security of corporate assets. • C-level execu?ve does not have sufficient apprecia?on or influence to support the CISO. • Conversely, repor?ng to the CIO could be just as repressive • It comes down to who the CISO would ul?mately report to. 14 2015 IIA-Orange County

  15. Who decides? Despite the endless debates and opinions voiced whether the CISO should report to the CIO or another C-level execu?ve, the ul?mate ques?on is “Who decides?” • It clearly will not be the newly hired CISO. • It will not be the exis?ng Director of Informa?on Security. • The CIO might recommend hiring a CISO but very likely repor?ng to the CIO. • The CEO and board members should ul?mately decide but typically the ques?on is not a considera?on un?l they have experienced a breach or a major security incident. 15 2015 IIA-Orange County

  16. CISO VISION AND RESPONSIBILITIES 2015 IIA-Orange County 16

  17. CISO Vision and Responsibili&es The CISOs vision is to align the informa?on security program with the enterprise strategic business objec?ves. The CISOs responsibility is to ensure the informa?on security program meets those objec?ves and grows commensurate with the enterprise goals. Execu?ve management looks to the CISO to: • Define and manage the informa?on security program • Provide educa?on and guidance to the execu?ve team • Present op?ons and informa?on to enable decision making • Act as an informa?on security advisor 17 2015 IIA-Orange County

  18. CISO Vision and Responsibili&es This includes, is not limited to: Execu?ve Management Repor?ng • Mobile Device Security • Risk and compliance • Web Applica?on Security • Informa?on Security Administra?on • Vulnerability Tes?ng • Competent and skilled staff • Security Tools • CSIRT Program • Network Security • Informa?on Protec?on • Applica?on Security • Security Monitoring • Personnel Security • Security Policies and Procedures • Database Security • Vendor Security • Cloud Security • Wireless Security • Security Awareness Program • 18 2015 IIA-Orange County

  19. What the CISO should do to earn respect Use the "three C's" to emphasize the importance of informa?on security • within an organiza?on: – Coopera?on precludes pernicious silos; – Communica?on is cri?cal but it must be incisive, relevant and done with aplomb; and – Counterbalance ensures contribu?ons are commensurate with business objec?ves. Iden?fy a C-level team member who can champion the CISO's • contribu?ons and par?cipa?on. Befriend, educate, earn trust and provide him or her with insighpul informa?on that will also elevate his or her visibility and credibility. Schedule monthly execu?ve management reports on the state of • informa?on security for your enterprise. Use graphics, red-yellow-green icons to highlight areas to focus, and communicate your message in business terms related to cost, ROI, risk, growth and compliance. Stay informed of current events and new technologies, especially as they • relate to your enterprise industry. 2015 IIA-Orange County 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Digital Guardian CISO Mentoring Webinar Series Landing Your First CISO Job 1 About Steve Katz

Digital Guardian CISO Mentoring Webinar Series Landing Your First CISO Job 1 About Steve Katz

Digital Guardian CISO Mentoring Webinar Series Landing Your First CISO Job 1 About Steve Katz Recognized as the Worlds First CISO. Wealth of experience including Citigroup, JP Morgan, Deloitte, and Kaiser Permanente

379 views • 26 slides
Le Comorbidit nelle immunodeficienze delladulto: quali e quali scelte terapeutiche. Andrea

Le Comorbidit nelle immunodeficienze delladulto: quali e quali scelte terapeutiche. Andrea

Le Comorbidit nelle immunodeficienze delladulto: quali e quali scelte terapeutiche. Andrea Matucci Immunoallergology Unit AOU Careggi, Florence, Italy andrea.matucci@unifi.it XXXII Congresso della SIAAIC Toscana, Emilia Romagna, S.

860 views • 27 slides
MODERN METHODS MODERN METHODS FOR I MPROVI NG THE QUALI TY I N FOR I MPROVI NG THE QUALI TY I N

MODERN METHODS MODERN METHODS FOR I MPROVI NG THE QUALI TY I N FOR I MPROVI NG THE QUALI TY I N

FIG Workshop on e-Governance, Knowledge Management and e-Learning Budapest, Hungary, 27-29 April, 2006 MODERN METHODS MODERN METHODS FOR I MPROVI NG THE QUALI TY I N FOR I MPROVI NG THE QUALI TY I N LAND VALUATI ON TRAI NI NG LAND VALUATI ON

672 views • 26 slides
Oltre RAS e RAF quali altri fattori predittivi di risposta e Oltre RAS e RAF, quali altri fattori

Oltre RAS e RAF quali altri fattori predittivi di risposta e Oltre RAS e RAF, quali altri fattori

Mario Scartozzi Clinica di Oncologia Medica Clinica di Oncologia Medica Ancona Oltre RAS e RAF quali altri fattori predittivi di risposta e Oltre RAS e RAF, quali altri fattori predittivi di risposta e prognostici? Quali evidenze, quali

369 views • 16 slides
Mentoring Webinar Series Stories From the CISO Trenches 1 About Larry Brock Principal at

Mentoring Webinar Series Stories From the CISO Trenches 1 About Larry Brock Principal at

Digital Guardian CISO Mentoring Webinar Series Stories From the CISO Trenches 1 About Larry Brock Principal at Brock Cyber Security Consulting LLC Former Global Chief Information Security Officer (CISO) at DuPont (11 years) Held

532 views • 31 slides
2 0 1 2 UPDATE OF STORMW ATER QUALI TY STORMW ATER QUALI TY MANAGEMENT ( SW QM) Public Works

2 0 1 2 UPDATE OF STORMW ATER QUALI TY STORMW ATER QUALI TY MANAGEMENT ( SW QM) Public Works

2 0 1 2 UPDATE OF STORMW ATER QUALI TY STORMW ATER QUALI TY MANAGEMENT ( SW QM) Public Works Agency ORDI NANCE ORDI NANCE Stakeholder W orkshop March 2 1 , 2 0 1 2 Outline s Agency Ventura Countywide NPDES Municipal I. Stormwater

529 views • 49 slides
CIO / CISO perspectives Challenges and opportunities Trond Ellefsen Head of IT Statoil

CIO / CISO perspectives Challenges and opportunities Trond Ellefsen Head of IT Statoil

CIO / CISO perspectives Challenges and opportunities Trond Ellefsen Head of IT Statoil Development and Production North America 2012-11-26 CISO keynote 1 Content and perspective 2 Common threats and the new Art of war 3 Weapons of mass

425 views • 18 slides
EVOLUTION OF THE CISO And the Confluence of IT Security & Audit Thomas Borton, MBA, CISA,

EVOLUTION OF THE CISO And the Confluence of IT Security & Audit Thomas Borton, MBA, CISA,

EVOLUTION OF THE CISO And the Confluence of IT Security & Audit Thomas Borton, MBA, CISA, CISM, CRISC, CISSP Director, IT Security & Compliance 13 March 2014 AGENDA 1. Introduction 2. Evolution of the CISO: Past, Present & Future

200 views • 18 slides
What is Value? How can we make effec,ve decisions

What is Value? How can we make effec,ve decisions

What is Value? How can we make effec,ve decisions unless we understand Value? How do we gain a sense of fulfilment or of purpose

321 views • 15 slides
Using Restora-ve Concepts and Approaches for More Effec-ve

Using Restora-ve Concepts and Approaches for More Effec-ve

Using Restora-ve Concepts and Approaches for More Effec-ve Employee Engagement IIRP European Conference Sharon Mast June 10,2015 FACT or FICTION

665 views • 31 slides
Effec%ve Test Data Management in End-To-End and API

Effec%ve Test Data Management in End-To-End and API

Effec%ve Test Data Management in End-To-End and API Tes%ng in Agile environment. Excel isnt a long-term solu1on Mark Lambert (VP Products

652 views • 28 slides
HOMELAND SECURITY: CYBER-SECURITY AT THE LOCAL LEVEL Kirk Bailey, CISSP, CISM CISO, UW Ernie

HOMELAND SECURITY: CYBER-SECURITY AT THE LOCAL LEVEL Kirk Bailey, CISSP, CISM CISO, UW Ernie

HOMELAND SECURITY: CYBER-SECURITY AT THE LOCAL LEVEL Kirk Bailey, CISSP, CISM CISO, UW Ernie Hayden, CISSP CISO, Port of Seattle HOW BIG IS THE JOB? WHAT IS INVOLVED (THE SCOPE OF IT)? WHAT ARE THE TOUGH CHALLENGES? WHAT DOES THE FUTURE

377 views • 36 slides
Valida&on of the Effec&veness of an Op&mized

Valida&on of the Effec&veness of an Op&mized

Valida&on of the Effec&veness of an Op&mized EPMcreate as an Aid for Crea&ve Requirements Elicita&on Victoria Sakhnini 1 , Daniel M. Berry 1 , &

722 views • 56 slides
G A E TERM PRODUCTION PROTOTYPES COOPERATION OUTSOURCING ABOUT US 2 Due to high quali fi

G A E TERM PRODUCTION PROTOTYPES COOPERATION OUTSOURCING ABOUT US 2 Due to high quali fi

plus G A G A E TERM PRODUCTION PROTOTYPES COOPERATION OUTSOURCING ABOUT US 2 Due to high quali fi cations of our employees and advanced technological solutions of our machine park, we are able to perform complex tasks ranging from

529 views • 20 slides
Media Use and its Developme mental Effec Effects ts Dr

Media Use and its Developme mental Effec Effects ts Dr

Media Use and its Developme mental Effec Effects ts Dr Serena Tung Consultant Paediatrician Child Developmental Unit Na:onal University Hospital 28 May

657 views • 46 slides
Cost-Effec*ve Recovery of an Endangered Species: The

Cost-Effec*ve Recovery of an Endangered Species: The

Cost-Effec*ve Recovery of an Endangered Species: The Red-Cockaded Woodpecker Jon M. Conrad and Ryan M. Finseth Department of Applied Economics and

224 views • 18 slides
Presentation to the House of Commons Standing Committee on Industry, Science and Technology by

Presentation to the House of Commons Standing Committee on Industry, Science and Technology by

Presentation to the House of Commons Standing Committee on Industry, Science and Technology by The Canadian Petroleum Products Institute August 2010 Check against Delivery 1 of 3 Presentation by Mr. Peter Boag to the Standing Committee on

164 views • 3 slides
Dr. Peter J. Murray PhD, RN, MSc, CertEd, FBCS CITP IMIA CEO Disclaimer: views expressed should

Dr. Peter J. Murray PhD, RN, MSc, CertEd, FBCS CITP IMIA CEO Disclaimer: views expressed should

250 views • 13 slides
Alignment with NBSAPs and 2020 Aichi Targets Alignment with NBSAPs and 2020 Aichi Targets Peter

Alignment with NBSAPs and 2020 Aichi Targets Alignment with NBSAPs and 2020 Aichi Targets Peter

Alignment with NBSAPs and 2020 Aichi Targets Alignment with NBSAPs and 2020 Aichi Targets Peter Thomas TierraMar Consulting Suva, Fiji, 25 29 November 20013 Background to the Action Strategy Product of successive Pacific Conferences on

385 views • 10 slides
Community Sourced Knowledge: Solving the Maintenance Problem J. Carlos Vega, US Army Karl D.

Community Sourced Knowledge: Solving the Maintenance Problem J. Carlos Vega, US Army Karl D.

Community Sourced Knowledge: Solving the Maintenance Problem J. Carlos Vega, US Army Karl D. Pfeiffer, TASC, Inc. Alex Bordetsky, Naval Postgraduate School Background The Maintenance Quagmire Maintenance of software intensive systems is in a

467 views • 23 slides
Tracking business contribution to the Sustainable Development Goals (SDGs) Peter Paul van de Wijs

Tracking business contribution to the Sustainable Development Goals (SDGs) Peter Paul van de Wijs

Tracking business contribution to the Sustainable Development Goals (SDGs) Peter Paul van de Wijs Origin Story It started with the Exxon Valdez disaster Valdez Runs Aground Global Reporting Initiative GRI Standards March 24, 1989 Spun off

165 views • 4 slides
Welfare conditionality : some issues and concerns for families and children Video presentation to

Welfare conditionality : some issues and concerns for families and children Video presentation to

Welfare conditionality : some issues and concerns for families and children Video presentation to Picking up the pieces : the fallout of welfare reform forum 20 th October 2017 Melbourne, Australia Professor Peter Dwyer Dept. of Social

602 views • 7 slides
The Interrelationships of Energy, E Environmental Extremism, i l E i Economic Prosperity and

The Interrelationships of Energy, E Environmental Extremism, i l E i Economic Prosperity and

The Interrelationships of Energy, E Environmental Extremism, i l E i Economic Prosperity and Economic Prosperity and Education 1. Mankind is not Changing the Climate. 2. Carbon Dioxide is not a Pollutant! 3. Carbon Constraints can cause

339 views • 30 slides
IFN Forum Kuwait Macroeconomic Outlook for Kuwait and the GCC By Tariq Alrifai Kuwait 19

IFN Forum Kuwait Macroeconomic Outlook for Kuwait and the GCC By Tariq Alrifai Kuwait 19

IFN Forum Kuwait Macroeconomic Outlook for Kuwait and the GCC By Tariq Alrifai Kuwait 19 October 2015 Overview Review and update on Global economy Oil market trends and outlook Kuwait and GCC economic outlook Recent News

1.58k views • 21 slides

More recommend