Upload
candyalexander
View
689
Download
1
Embed Size (px)
DESCRIPTION
A review of the "lessons learned" in establishing a CISO/CSO role in two different organizations. The things that security folks DON\'T tell you...
Citation preview
Case Study: Establishing the
“CISO/CSO” Role
Candy Alexander, CISSP CISM
SecureWorld Expo Boston
March 24, 2011
Room 103
SecureWorld Expo - Boston March 24, 2011 - Room 103
Topics
Presentation approach
Setting the scene
Secrets for success?
Sample Program Approach
Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
Focus on “soft skills”
A huge challenge is we typically come
from; IT, Military/government, Law
enforcement
Secrets behind program methodologies
and technology
Presentation Approach
Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
Setting the Scene
Company #1 Publicly held
“Civil Engineering” focused
2 levels below CIO
7500+ employees
Compliance Mission: SOx
Security Mission: Asset
protection (physical
security/equipment thefts)
Company #2 “Private” Federal government
contractor
2 levels below CEO
Small workforce – huge
“virtual store front”
Compliance Mission:
FISMA/State DP
Security Mission: Data
Protection (PII/PHI)
Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
Secret #1
Organization Structure Segregation of Duties
CIO - Fox watching the chicken coop?
CFO/Audit
CFO/Spending - shoemaker‟s child?
Audit – Chicken coop watching the fox?
CTO - Good mix; understands the tech side, but…?
COO - Good understanding of how security impacts to the
business and vice versa
CEO – Get the attention, however not always in tune
Anywhere you
can get authority, credibility, and visibility!
Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
Secret #2
Don’t say a word…
- Fight temptation to fix
- Need to understand:
Corporate culture (loose or hard-nosed)
Who are the pushers & shakers and what‟s
driving them
Where the challenges are and to be addressed
LATER (they *will* resurface!!)
Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
Secret #3
Appearance is everything…
Offer solutions and not just problems
Cliché – business enabler vs. disabler
Understanding perceptions
Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
Secret #4
Establish Partnerships
Not just with IT!
What is important to business
Overall drivers
Learn the business and business learn security
Security Council (Exec. Level)
Set strategic direction & buy-in
Players: all the “C”s (if possible), HR, Legal and
Audit
Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
Secret #5
Don’t scare’m or baffle’m
Scaring or baffling „em will only result in glassy-eyed look
Indirectly tells them; you don‟t understand the business
Tell them in their own words
Impact on business
Cost of doing/not doing
Expectations
Executives want to know… Messages short and sweet
Get to the point
Be honest
Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
Secret #6 –
Auditors really are your friends…
Play nice in the sandbox
Negativity is not to be taken personally
Partnership
Common goal (the company)
Audit = attention (especially CFO)
Careful!
Only to be used by a “experienced” professional
Disclaimer – can backfire
GOAL: No surprises on reports; only confirmations
Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
Putting it all together…
Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
Putting it all together…
1 - Understand “why” you are there
Need to meet expectations
Helps decide which framework to use (if not
already chosen)
2 - Framework
Understand which is best for need
If in place – determine level of compliance/risk
Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
3 - Program management & basic practices
No matter how big or small the organization
Documentation is everything
Governance approach
Project charters, plans, schedules & meeting notes
Eliminates “misunderstandings” or
misinterpretations
Ensures all are moving toward the same goal
Putting it all together…
Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
Using a Plan…
Based in 4 phases
Phase I: Gather Requirements
Phase II: Gap Analysis
Phase III: Development and Implementation
Phase IV: Ongoing Monitoring and Maintenance
Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
Security Program -Phase I
Gather Requirements
Management‟s Objective
Technology review Pen Tests, risk assessments, compliance monitoring,
audit reports
Select framework based on regulatory requirements SOx – CobIT/COSO
Data Privacy – pick one (NIST, ISO, etc.)
HIPAA – pick one (NIST, ISO, etc.)
Credit Card - PCI/DSS -
FIMSA - NIST
Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
Security Program -Phase II
Gap Analysis
Audit reports, pen tests and risk assessments
Security management
What‟s in place?
Security agreements (contracts, SLA, etc.)
Incident response/business continuity/disaster recovery
Policies & procedures
Workforce safeguards Sr. Mgmt AND employee
Technology Software
Hardware
Network
Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
Security Program -Phase III Develop projects to fill in the gaps
Security management Policies & procedures drives the program!
Technology
Inventory - what do you have? Hardware
Software
Access Control (review, etc.)
DATA!
Implementation Projects Each project should have clear objective, tasks, owners and
expected time to complete documented
Metrics as it relates directly to the project
There should be no project plan w/o metrics
Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
Security Program -Phase IV
Ongoing Monitoring & Reporting
Monitoring
Policies
Business controls
Audit remediation
Risk analysis
Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
Reporting
Types of Reports
Executives -1 pager/charts/quick view)
Mid-management - 1 pager + some
Front Line” – very specific
Trends
Everyone likes to see accomplishments
Everyone needs to see challenges
Expected actions to be taken
Defined as part of the report requirement
i.e. no reports for the sake of doing reports
Define who & when
Security Program -Phase IV
Reporting
Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
Questions?
Candy Alexander, CISSP CISM
Send email for copy of this presentation
Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103