How to translate CISO tech-speak into strategic objectives

WEBINAR

The audio portion of this webinar will stream through your

computer. If you are not hearing sound, please check the

speaker volume on your computer. If you are still experiencing a

problem, press the pause button under the image on the left of

your screen and then the arrow/play button.

WEGALVANIZE.COM

Webinar Details

* Introduction by David Shaw

* Time for questions (enter them from your computer) during and after

the presentation

* 60 minutes

* Presentation and supporting material will be emailed to all

participants after the webinar

WEGALVANIZE.COM

Today’s Speakers

Chris MurpheyDirector of Customer Success

Galvanize

Allan GrafmanAudit Committee Chair

IDW Media Holdings

David ShawPublishing Director

Directors & Boards

WEGALVANIZE.COM

Digital Governance Principles

Principle 1: Approach emerging technology as a strategic imperative, not just an operational issue.

Principle 2: Develop collective, continuous technology-specific learning and development goals.

Principle 3: (Re)align board structure and composition to reflect the growing significance of technology as a driver of both risk growth and risk.

Principle 4: Demand frequent and forward-looking reporting on technology-related initiatives.

Principle 5: Periodically assess the organization’s leadership, talent, and culture readiness for technology change.

WEGALVANIZE.COM

Objectives

• Appreciate the need for sustainable technology governance

• Move beyond the technical part of the CISO’s role

• How to get trusted and valuable advice from your CISO

• Focus on business impact/value with the right metrics

Find Confidence in Discussing Technology Governance

WEGALVANIZE.COM

Tech resilience is the key to company survival. All companies

are now tech companies, and ensuring you remain current is a

basic ERM [Enterprise Risk Management] function.

Betsy Atkins, 3-time CEO, Board Member & Serial Entrepreneur

Embrace This, Discuss with Your Audit Committee

WEGALVANIZE.COM

F100 Research, yet Holds True for Most CISOs

A Look at a (Fortune 100) CISO

Demographics

89% Male

40-50 years old

Tenure

2-4 Years

80% < 5 Years

Qualification

40% Business

40% Masters

3 Certifications

(CISSP, CISM, ITIL, CISA, CRISC)

Experience

59% Security

19% Military/Gov’t

WEGALVANIZE.COM

Planning, buying, and rolling out

security hardware and software,

and making sure IT and network

infrastructure is designed with best

security practices in mind

Governance

Data LossForensics

Cyber

Intelligence

ITRisk Management Security Operations

Identity &

Access

Management

CISO

Making sure all of the above

initiatives run smoothly and get the

funding they need — and that

corporate leadership understands

their importance

Making sure data isn’t stolen or

misused. Policies and tools like

Data Loss Prevention (DLP).

Real-time analysis of

immediate incidents and

vulnerabilities.

Monitoring security threats,

communicating potential

security issues that might arise

from changes in the business.

Determining what went wrong

in a breach, dealing with those

responsible if they're internal,

and planning to avoid repeats

of the same crisis.

The principle of risk management

applied to IT. Apps, servers,

software, vendors undergo risk

assessments to classify, mitigate,

remediate and document risks.

.

Ensuring that only authorized

people have access to

restricted data and systems.

Security

Architecture

Keeping ahead of security needs by

implementing programs or projects

that mitigate risks — regular system

patches, for instance.

Technical Subject Matter, Managed by One Person

Program

Management

Typical CISO Responsibilities

WEGALVANIZE.COM

85% highlighted information technology as a key skill on the

board and 52% called attention to cybersecurity in particular

2019 Review of S&P 100 Governance Disclosures, Nasdaq Center for Corporate Governance

Director Acumen is Growing (it has to), but may be Shallow

A Look at a (S&P 100) Director

WEGALVANIZE.COM

Gartner

Like this, but…

A CISO’s First 100 Days

WEGALVANIZE.COM

In Reality The First 100 Days Includes This

WEGALVANIZE.COM

How and What

does a CISO

communicate…

…with you?

…with the Audit

Committee?

…with the

CIO/CEO?Gartner

Establish a Communication Plan, Align With Your Directors

A CISO’s (Successful) First 100 Days

WEGALVANIZE.COM

Elevate the CISO Agenda, Position CEO/CIO for Success

Options to Discuss with Your CEO:

1. Invite the CISO to the next board meeting

2. Review the CISO Work Book/Plan

3. Have a CISO led Working Session (with third

party expert, if needed)

Options to Interact with a CISO as a Director

WEGALVANIZE.COM

-Many internal and external stakeholders to satisfy

- Too many data sources and siloed

- Hard to transform data and add context

- Not sure of which metrics to care about

- Not consistently making data driven decisions

Current State of CISO Governance/Reporting

WEGALVANIZE.COM

Internal

Technical Metrics Focused

• Security Ops

• IAM

• IT Teams

• Committees

External

Business Impact Focused

• Board

• Line of Business

• Customers

• Auditors

• Compliance

• Privacy

• Regulators

• Auditors

Oversight

Inefficient, Ready for Sustainability

Different Data Sets, Lack of Unified Standards & Time Intensive

Current State of CISO Governance/Reporting (in detail)

WEGALVANIZE.COM

1. Pick a standard/framework (e.g. National Institute of Standards and Technology)

2. Organize by areas (e.g. Identity and Access Management, Security Ops, etc…)

3. Select metrics that influence behavior

4. Correlate to business impact (metrics aligned to strategic goals go to Board)

5. Establish a baseline (able to say what is good, bad or indifferent to your org)

6. Qualitative is more important than quantitative

(# of critical vulnerabilities open for 60+ days vs. # of critical vulnerabilities)

Discuss This With Your CISO

Selecting the Right Metrics

WEGALVANIZE.COM

Area Metrics SourceGovernance & Compliance

How long does it take us to provide Information Security Training/Coverage? Time from hire date to Security Awareness Training Completion date HR System, Training System

How many risk acceptances are we tracking? Number of active acceptances, by department GRC

How many policy exceptions are we tracking? Number of active exceptions, by owner, by age in months GRCHow many critical applications/systems have critical/high gaps that are open?

Critical systems where identified control gaps have not been remediated GRC

How are our internal team(s) performing compared to auditors? Trend of gaps identified though self-assessment process compared to audit findings GRC

Identity Management

How long does it take us to revoke access for terminated employees? Time from termination to Access Revoked for termed employees (in hours, by term)HR system (term date), IDM (access revoked date/time)

How much unneeded access remains after a role change? Access not recertified/expired (count, by department, over last 12 months) IDM (expired/non certified flag)How often are privileges reviewed for accounts with access to critical systems?

Accounts within critical systems whose privileges have not been reviewed and approvedIDM

How many inactive users still have access? Inactive (terminated / dormant / transfer) user accounts that have not been disabled HR system (term date), IDM (access revoked date/time)

Security Ops

How long does it take us to discover an Information Security Incident? Time to detection (average time in minutes, by month, over last 12 months) Incident management (GRC)

How long does it take us to contain an Information Security Incident? Time from detection to containment (average time in minutes, by month) Incident management (GRC)

How long critical systems have been unavailable? Operational time where a critical system was unavailable BCM

How long does it take us to patch critical/high vulnerabilities? Critical/High Vulnerabilities Days Open (average by month, over last 12 months) VM

How many assets do we have with critical/high vulnerabilities? Assets (Applications, Hosts, etc.) with critical/high vulnerabilities (average count, by month) VM, GRC

How many assets do not have up-to-date AV protections? End point devices without automatic protection per policy / standards End point systems

How many assets do not have up-to-date configurations per policies? Percentage of systems with configurations that deviate from approved standards Configuration management systems

Security Architecture

How many critical applications/systems have not had a security review in the last year?

Percentage of critical application/systems with and without a security review GRC, PenTest, Architecture review (manual)

How many critical applications/systems have critical/high severity findings? Count of critical application/systems that have at least one critical/high finding, by month) GRC, PenTest, Architecture review (manual)

Sample Key Metrics

WEGALVANIZE.COM

+ Report metrics by department and hold those leaders/teams accountable

+ Provide Transparency to internal stakeholders

+ Leverage leaderboards and game theory to influence behavior

+ Manage by numbers via regular “Ops” meetings

How to Manage Technology Risk

WEGALVANIZE.COM

The One Thing You Can Do Right Away

Ask: Are we measuring technology, data and security governance success in a

generally accepted way similar to a comparable organization?

Add This To Your Audit Committee Agenda

WEGALVANIZE.COM

In Summary

1. Seek technology resilience, you are a tech company

2. Strive for CISO success, to give assurance to CEO success

3. Define a successful and sustainable communication plan around technology

governance

4. Establish the right metrics (and change them when needed)

5. Benchmark your governance program against peer organizations

WEGALVANIZE.COM

Questions