Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
How to translate CISO tech-speak into strategic objectives
WEBINAR
The audio portion of this webinar will stream through your
computer. If you are not hearing sound, please check the
speaker volume on your computer. If you are still experiencing a
problem, press the pause button under the image on the left of
your screen and then the arrow/play button.
WEGALVANIZE.COM
Webinar Details
* Introduction by David Shaw
* Time for questions (enter them from your computer) during and after
the presentation
* 60 minutes
* Presentation and supporting material will be emailed to all
participants after the webinar
WEGALVANIZE.COM
Today’s Speakers
Chris MurpheyDirector of Customer Success
Galvanize
Allan GrafmanAudit Committee Chair
IDW Media Holdings
David ShawPublishing Director
Directors & Boards
WEGALVANIZE.COM
Digital Governance Principles
Principle 1: Approach emerging technology as a strategic imperative, not just an operational issue.
Principle 2: Develop collective, continuous technology-specific learning and development goals.
Principle 3: (Re)align board structure and composition to reflect the growing significance of technology as a driver of both risk growth and risk.
Principle 4: Demand frequent and forward-looking reporting on technology-related initiatives.
Principle 5: Periodically assess the organization’s leadership, talent, and culture readiness for technology change.
WEGALVANIZE.COM
Objectives
• Appreciate the need for sustainable technology governance
• Move beyond the technical part of the CISO’s role
• How to get trusted and valuable advice from your CISO
• Focus on business impact/value with the right metrics
Find Confidence in Discussing Technology Governance
WEGALVANIZE.COM
Tech resilience is the key to company survival. All companies
are now tech companies, and ensuring you remain current is a
basic ERM [Enterprise Risk Management] function.
Betsy Atkins, 3-time CEO, Board Member & Serial Entrepreneur
Embrace This, Discuss with Your Audit Committee
WEGALVANIZE.COM
F100 Research, yet Holds True for Most CISOs
A Look at a (Fortune 100) CISO
Demographics
89% Male
40-50 years old
Tenure
2-4 Years
80% < 5 Years
Qualification
40% Business
40% Masters
3 Certifications
(CISSP, CISM, ITIL, CISA, CRISC)
Experience
59% Security
19% Military/Gov’t
WEGALVANIZE.COM
Planning, buying, and rolling out
security hardware and software,
and making sure IT and network
infrastructure is designed with best
security practices in mind
Governance
Data LossForensics
Cyber
Intelligence
ITRisk Management Security Operations
Identity &
Access
Management
CISO
Making sure all of the above
initiatives run smoothly and get the
funding they need — and that
corporate leadership understands
their importance
Making sure data isn’t stolen or
misused. Policies and tools like
Data Loss Prevention (DLP).
Real-time analysis of
immediate incidents and
vulnerabilities.
Monitoring security threats,
communicating potential
security issues that might arise
from changes in the business.
Determining what went wrong
in a breach, dealing with those
responsible if they're internal,
and planning to avoid repeats
of the same crisis.
The principle of risk management
applied to IT. Apps, servers,
software, vendors undergo risk
assessments to classify, mitigate,
remediate and document risks.
.
Ensuring that only authorized
people have access to
restricted data and systems.
Security
Architecture
Keeping ahead of security needs by
implementing programs or projects
that mitigate risks — regular system
patches, for instance.
Technical Subject Matter, Managed by One Person
Program
Management
Typical CISO Responsibilities
WEGALVANIZE.COM
85% highlighted information technology as a key skill on the
board and 52% called attention to cybersecurity in particular
2019 Review of S&P 100 Governance Disclosures, Nasdaq Center for Corporate Governance
Director Acumen is Growing (it has to), but may be Shallow
A Look at a (S&P 100) Director
WEGALVANIZE.COM
How and What
does a CISO
communicate…
…with you?
…with the Audit
Committee?
…with the
CIO/CEO?Gartner
Establish a Communication Plan, Align With Your Directors
A CISO’s (Successful) First 100 Days
WEGALVANIZE.COM
Elevate the CISO Agenda, Position CEO/CIO for Success
Options to Discuss with Your CEO:
1. Invite the CISO to the next board meeting
2. Review the CISO Work Book/Plan
3. Have a CISO led Working Session (with third
party expert, if needed)
Options to Interact with a CISO as a Director
WEGALVANIZE.COM
-Many internal and external stakeholders to satisfy
- Too many data sources and siloed
- Hard to transform data and add context
- Not sure of which metrics to care about
- Not consistently making data driven decisions
Current State of CISO Governance/Reporting
WEGALVANIZE.COM
Internal
Technical Metrics Focused
• Security Ops
• IAM
• IT Teams
• Committees
External
Business Impact Focused
• Board
• Line of Business
• Customers
• Auditors
• Compliance
• Privacy
• Regulators
• Auditors
Oversight
Inefficient, Ready for Sustainability
Different Data Sets, Lack of Unified Standards & Time Intensive
Current State of CISO Governance/Reporting (in detail)
WEGALVANIZE.COM
1. Pick a standard/framework (e.g. National Institute of Standards and Technology)
2. Organize by areas (e.g. Identity and Access Management, Security Ops, etc…)
3. Select metrics that influence behavior
4. Correlate to business impact (metrics aligned to strategic goals go to Board)
5. Establish a baseline (able to say what is good, bad or indifferent to your org)
6. Qualitative is more important than quantitative
(# of critical vulnerabilities open for 60+ days vs. # of critical vulnerabilities)
Discuss This With Your CISO
Selecting the Right Metrics
WEGALVANIZE.COM
Area Metrics SourceGovernance & Compliance
How long does it take us to provide Information Security Training/Coverage? Time from hire date to Security Awareness Training Completion date HR System, Training System
How many risk acceptances are we tracking? Number of active acceptances, by department GRC
How many policy exceptions are we tracking? Number of active exceptions, by owner, by age in months GRCHow many critical applications/systems have critical/high gaps that are open?
Critical systems where identified control gaps have not been remediated GRC
How are our internal team(s) performing compared to auditors? Trend of gaps identified though self-assessment process compared to audit findings GRC
Identity Management
How long does it take us to revoke access for terminated employees? Time from termination to Access Revoked for termed employees (in hours, by term)HR system (term date), IDM (access revoked date/time)
How much unneeded access remains after a role change? Access not recertified/expired (count, by department, over last 12 months) IDM (expired/non certified flag)How often are privileges reviewed for accounts with access to critical systems?
Accounts within critical systems whose privileges have not been reviewed and approvedIDM
How many inactive users still have access? Inactive (terminated / dormant / transfer) user accounts that have not been disabled HR system (term date), IDM (access revoked date/time)
Security Ops
How long does it take us to discover an Information Security Incident? Time to detection (average time in minutes, by month, over last 12 months) Incident management (GRC)
How long does it take us to contain an Information Security Incident? Time from detection to containment (average time in minutes, by month) Incident management (GRC)
How long critical systems have been unavailable? Operational time where a critical system was unavailable BCM
How long does it take us to patch critical/high vulnerabilities? Critical/High Vulnerabilities Days Open (average by month, over last 12 months) VM
How many assets do we have with critical/high vulnerabilities? Assets (Applications, Hosts, etc.) with critical/high vulnerabilities (average count, by month) VM, GRC
How many assets do not have up-to-date AV protections? End point devices without automatic protection per policy / standards End point systems
How many assets do not have up-to-date configurations per policies? Percentage of systems with configurations that deviate from approved standards Configuration management systems
Security Architecture
How many critical applications/systems have not had a security review in the last year?
Percentage of critical application/systems with and without a security review GRC, PenTest, Architecture review (manual)
How many critical applications/systems have critical/high severity findings? Count of critical application/systems that have at least one critical/high finding, by month) GRC, PenTest, Architecture review (manual)
Sample Key Metrics
WEGALVANIZE.COM
+ Report metrics by department and hold those leaders/teams accountable
+ Provide Transparency to internal stakeholders
+ Leverage leaderboards and game theory to influence behavior
+ Manage by numbers via regular “Ops” meetings
How to Manage Technology Risk
WEGALVANIZE.COM
The One Thing You Can Do Right Away
Ask: Are we measuring technology, data and security governance success in a
generally accepted way similar to a comparable organization?
Add This To Your Audit Committee Agenda
WEGALVANIZE.COM
In Summary
1. Seek technology resilience, you are a tech company
2. Strive for CISO success, to give assurance to CEO success
3. Define a successful and sustainable communication plan around technology
governance
4. Establish the right metrics (and change them when needed)
5. Benchmark your governance program against peer organizations