Keynote Presentation - ten-inc.com · • Vendors • Strategic Partners (impact to organization) • Organizations (Local, State, Federal) •Whose risk is it? • Old View –if

ISE® NORTH AMERICA LEADERSHIP SUMMIT

Cyber, the Path to CISO

“How Cyber is Evolving the Role of the Modern CISO”

Gary HayslipCISO

City of San Diego

Keynote Presentation

ISE® North America Leadership Summit #ISEawards

Background

Started with computers in early 1980’s as a teenager.

Served 20 years in US Navy working with computers and cyber security. (1986-2007)

Spent 6 years as a Federal Civil Servant for the US Navy as a CISO.

Spent last 4 years as the Deputy Director of IT and CISO for the City of San Diego, CA

In 30 years I have worked numerous positions: developer, network administrator, network engineer, security architect, security auditor and security forensic investigator.

Worked on and audited federal and military networks from all over the world. (architecture, security controls, policies)

Why this background is important – Cyber security whether in the Federal Government, Municipal Government or Commercial has many moving parts – its not just one check box.

Gary Hayslip, CISO


San Diego Trivia

11,000+ employee’s

14,000+ desktops & laptops

500+ tablets and mobile devices

1000+ City issues cell phones

City has over 24 networks with an estimated 35,000+ endpoints.

Sensitive data types such as PII, PCI, HIPAA, & Financial

Installed technology ranges from 1980’s type hardware to state of the art cyber security analytics software.

Internet-of-Things (IoT) in large scale enterprise deployments

Average 1 million attacks on its networks per day

City of San Diegoby the Numbers


The UsualCommon challenges for a CISO

• Disparate technologies

• Gaining visibility into strategic business processes

• Entrenched processes & workflows

• Budget? What budget?

• 3rd Party vendor risk – managing it

• Cyber – lack of understanding its value by executives

• Where is my data? Who has access to it? What is it used for?

What is considered critical?


Surprise!Challenges that surprised me as CISO

• Working for an organization that is 24/7

• Dedicated employees who want to

partner with cyber

• We don’t own our data?

• Collapse of the perimeter

• Cloud is everywhere

• Visibility = Budget & More


I am Being Educated

Top 3 things I learned as CISO in my 1st Year

• Its all about relationships

• You must be innovative

• Politics, Projects, & Funding


Changing MindsetSo why is this important?

• Stakeholder departments have different

business requirements & needs.

• Matching executives expectations with

reality.

• Risk Management = Its all about the grey.

• Environment is constantly changing

• Collaboration or die

• Job is not for the meek


Growing Threats

Threats - Hacktivism


Building a PlanTo be effective, you need a plan


Building a Security ProgramCyber – Building a program

Anti-Malware Platform

Daily Operations (SIEM)

Network Behavior AnalyticsData Governance

Continuous Scanning, Remediation, Monitoring


Building Your Teams

Cyber Operations Team

E1472/Sire support for City Clerk

eDiscovery Services - PRAs, Investigations, management of email storage archives.

Remote Access Management – (VPN/Netmotion)

Manage SAP Security service tickets – request assistance with issues (accounts, roles, permissions, renames)

Active Directory (New accounts, Share drive Folders, Permissions, Group Policy Management)

Okta – Single Sign On (User Account Applications provisioning & management)

Application Vulnerability Tracking (Desktops)

Server Vulnerability Tracking (Unpatched Servers)

Varonis Server – User, Data analytics platform to manage the location, access, use of city data

Office 365 – new email accounts, group email account management.

ServiceNow Implementation/Administration – management of security services/projects

Cyber Security & Risk Management

Cyber Engineering Team

• Sumo Logic - Search, monitor, analyze and visualize data

• AttackIQ - Live Attack/Validation Scenarios

• PCI DSS – management of credit card documentation for the city to keep certification.

• PacketSled - Next Generation Threat Detection and Network Forensics

• Maltego - Intelligence and Forensics

• Cyberflow Analytics – Network and user analytics platform

• FireEye - Automated threat forensics and dynamic malware protection

• MS-ISAC “Albert” Service - Federally Funded Monitoring from the Multi-State Information Sharing and Analysis Center

• NESSUS Continuous Monitoring - Vulnerability Assessment Solution

• Netskope cloud security data analytics and threat platform.


Multiple RolesRoles for the CISO are evolving

It was with this change in roles and the belief that

the CISO brings value to an organization that

drove us to write the CISO Desk Reference Guide.


Roles to Bring ValueCISO, new roles to be effective

• Old role – business protector

• Information Security

• Not viewed as a strategic resource

• New Role’s• Organizations want a business partner

• Risk Management

• Business Enabler

• IT Governance

• Need “Operational Resiliency”

• Cyber seen as a business enabler• Expert in security and risk management


Risk and More Risk CISO – Risk Manager

• Cyber through a risk lens• Risk assessment methodologies

• Risk of installed technologies & software (visibility)

• Continuous monitoring, assessment and remediation

• 3rd Party Management• Vendors

• Strategic Partners (impact to organization)

• Organizations (Local, State, Federal)

• Whose risk is it?• Old View – if its critical you must fix it.

• New View – business sets priority, the CISO provides

analysis but the business decides.


Cyber + Business = Yah!CISO – Business Enabler

• Provide risk insight into areas such as:• Mergers & Acquisitions

• Cloud Computing

• Mobile Technologies

• Business Continuity

• Disaster Recovery

• Key member of IT leadership team to assess new technologies

• As a member of business team• No longer the “innovation killer”

• When expertise is requested for a project• Business requirement driving the project

• Work for a solution that enables and is secure.


IT’s Report CardCISO – IT Governance

• Strategy & Business Alignment• Cyber security program aligned with organizations strategic goals

• Management of IT portfolio

• Risk Management Framework

• Establish risk baseline

• Monitor residual risk

• Roles & Responsibilities• Audit roles & access

• View access as a life-cycle

• IT & Security Report Card• Operational metrics – establishing risk and security baselines

• Executive Metrics – reporting the business impact of collected metrics

(should be tied to business operations)


Cyber as a value added service!Cyber as a Service Need to understand what is important to organization◦ Data

◦ Applications

◦ Processes

Work with business units to implement security controls that don’t hinder◦ Continuously inventory, assess, monitor, scan and remediate

◦ Understand your impact

Through innovation look for secure solutions to aide the business◦ SSO, 2FA

◦ MDM

◦ Cloud solution's

◦ Data Governance

◦ Authentication, Access, Management, Storage etc.


Cyber! A strategic partnershipCyber – Its about the Maybe

• You’re a strategic partner

• Risk Management, Governance, Business Enablement

• The organizations users are your customers

• Continuously review and assess the service you provide to organization

• Use metrics to measure your maturity level

• You are not there to say “No”, your job is to say “Maybe”

• Need to know your customers

• Need to know your strategic plans (IT & Organization)

• Knowledgeable on alternatives

• Educate yourself, your teams, staff

• Provide guidance for secondary solution

• Enable the business & still reduce risk exposure.


Department of I.T. – Cybersecurity Division

Questions, Rants, Discussions?

Gary Hayslip

Deputy Director, Chief Information Security Officer

[email protected]

@ghayslip

https://www.linkedin.com/in/ghayslip

619-322-6636

Documents

Keynote Presentation - ten-inc.com · • Vendors • Strategic Partners (impact to organization) • Organizations (Local, State, Federal) •Whose risk is it? • Old View –if