Embed Size (px)
Citation preview
In the age of Continuous
Compromise
EXECUTIVE REPORTING
Trey FordGlobal Security Strategist
Rapid7
AGENDA
•Boardroom Disciplines
•The Security Executive’s Challenges
•What’s Reported – 90 CISOs Point of View
•Affecting Change – Rapid7 Research Project
BOARDROOM DISCIPLINES
ESTABLISHED PROFESSIONS
• Medicine
• Law
• Engineering
• Accounting
BOARDROOM TECHNOLOGYNCR - 1884 IBM - 1911
SECURITY EXECUTIVE’S CHALLENGES
INFORMATION SECURITY
NO REAL ‘HOW TO’ GUIDE
SECURITY STATUS REPORTS
•Accounting has their GAAP
•Legal and Medicine has theirs
•What about Information Security?
COMMUNICATION FLOW
Data, Verbose Reports
SUMMARIES
WISDOM
KNOWLEDGE
INFORMATION
DATA
• Uncertainty at the Top
• Executives are Comfortable
• Engineers are NOT Comfortable
• The Secret
• Helping inform a point of view
• The idea may not be right or wrong
CURSE OF KNOWLEDGE
Summaries
DELIVERING BADNESS
Vulnerability &
External Audit Reports
BURY THEM!?!
INCIDENTS HAPPEN
Unsafe to Discuss?
Acknowledge bias:Prevention vs. Response
ACTIVATING INCIDENT RESPONSE
AdmittingFailure?
Insurance Policy?
Helping your CISO in the Boardroom
All CISOs have to address 3 questions (with EVERYTHING they say)
•What do I need to know?
•Why does this matter / Why do I care?
•What do you need from me?
Simple… and Hard.
WHAT’S REPORTED
WHAT’S REPORTED - TENURE
•20% have been in the CISO role less than 12 months
•New focus by Board in Security
•Last CISO was “too much business, not enough security”
•1/5 CISOs are looking for guidance or program validation
WHAT’S REPORTED – AREA OF FOCUS
•15% report on specific security project status
•20% are concerned about Compliance Audits
•25% are focused on Incident Response
•49% are reporting on Vulnerability Management
WHAT’S REPORTED – TANGIBLE
•6% report on Volume of Spam Blocked
•12% report no real metrics to their Board
•Also heard “lost laptops”, “stolen iPads”, “blocked websites”
•Many CISOs grasp for topics to catch their boards attention
AFFECTING CHANGE
Affecting Change – Rapid7 Research
•A Quantitative and Qualitative SURVEY
•>100 CISOs & non-Security Executives
•What gets reported? (Routine vs. Special Updates)
•Mapping against common Cybersecurity Frameworks
Agreeing on Simple…HARD TO DO!
