Upload
nooralmousa
View
809
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
C I OS^
The New
Pradeep MenonExecutive Vice President and
DirectorQuadrant Risk Management
>
SECURITY
The 3rd Kuwait InfoSecurity ConferenceMay 26, 2011
AGENDA
2
The Evolving Role of the CISO
Selling Security Internally
The CISO
›The role of the Chief Information Security Officer (CISO) is
becoming very strategic in nature
›Some of the Key Drivers for this Strategic Visibility include:
C I OS^
3
Breaches that lead to impairment of organizational vision and mission
Regulatory Requirements
Attention on Risk Management in challenging economic climate
Evolution of the role for Information Security
5
Operational
Tactical
Strategic
9-12 years ago
5-8 years ago
Since last 2-3
years
Source: Forrester Research
New Responsibilities
›The emerging role of the CISO and information security office
calls for new skills and responsibilities to be undertaken
including:
›Marketing and selling of Information Security within the
organization
›Quantifying benefits
›Controller to Business Enabler
›Program Managing Security rather than Project Managing
›Representation in the Senior Management Decision Making
Bodies
6
The Major Roadblocks that still CISOs face
7
Road Blocks
Acceptance by Top Mgmt.
Shrinking IS Budgets
Feeling the need for IS Spending
Lack of Regulations
AGENDA
8
The Evolving Role of the CISO
Selling Security Internally
Tips for Enhancing CISO Value and Reach
9
Branding Security› Security could be branded as a
member of the organization
› Creating characters, voices and visuals
that represent security in a meaningful
way
› E.g. - Salim from aeCERT
Tips for Enhancing CISO Value and Reach
10
Branding Security
CEO Involvement
› Make the CEO sign important
Information Security policies
› Make the CEO speak about security
› Educate the CEO with important
news and reports through periodic
meetings
Tips for Enhancing CISO Value and Reach
11
Branding Security
CEO Involvement
› Organize quarterly meetings where
Business users and InfoSec teams
interact
› Let Business Users express their views
› Conduct white paper sessions to
demonstrate how security issues can
lead to loss of customers
Business Involvement
Business
Information Security
Total Security
Tips for Enhancing CISO Value and Reach
12
Branding Security
CEO Involvement
› Security should become a habit, not a
regulation
› Celebrate security practices and
achievements
› Place Kiosks, Stalls etc. to create
awareness about following security
practices
› Let the CEO inaugurate the
proceedings of the Day
› Involve people from business units
› Conduct contests
Business Involvement
Security Awareness Day
Tips for Enhancing CISO Value and Reach
13
Branding Security
CEO Involvement
› Form Information Security sub
committees in organization such as
KITS (if not already in place)
› Influence regulatory bodies and
excellence centers such as CAIT and
Central Banks
› e.g., SAMA regulation for Multi Factor
Authentication
› ADSIC – Information Security Program
Business Involvement
Security Awareness Day
‘External Agencies’
Tips for Enhancing CISO Value and Reach
14
Branding Security
CEO Involvement
› Publishing annual reports on IS activities
and developments for the year
› Creating a web portal for users to view
various reports on the metrics based on
which their contribution to IS initiatives are
rated
Business Involvement
Security Awareness Day
External Agencies
Annual ISMS Reporting
Tips for Enhancing CISO Value and Reach
15
Branding Security
CEO Involvement
› External consultancies are SMEs
› Their experience is wide and deep in
an area
› Utilizing consultancies for specific
programs might be easier to get a
management buy-in
› Organizational hierarchy could be a
bottleneck to express views and
concerns regarding security issues
› Look upon consultancies as partners or
change agents, not as vendors or
spenders
Business Involvement
Security Awareness Day
External Agencies
Annual ISMS Reporting
External Consultancies
Tips for Enhancing CISO Value and Reach
16
Branding Security
CEO Involvement
› Inviting CISOs from other companies
helps in knowledge exchange and gains
on both sides
› Forums such as LinkedIn and Facebook
have been instrumental in generating
“Networking”
› Involvement in joint research initiatives
through organizations such as CAIT
(The Central Agency for Information
technology) , KITS (Kuwait Information
Technology Society), aeCERT, OCERT
etc.
Business Involvement
Security Awareness Day
External Agencies
Annual ISMS Reporting
External Consultants
Other CISO Involvement
Tips for Enhancing CISO Value and Reach
17
Branding Security
CEO Involvement
› Incentives for your IS team members
to contribute and attend various
events such as conferences, trainings,
seminars etc.
› Encourage publishing of white papers
on popular websites and journals, on
behalf of the organization
Business Involvement
Security Awareness Day
External Agencies
Annual ISMS Reporting
External Consultants
Other CISO Involvement
External Involvement
Thank You
Pradeep MenonExecutive Vice President and DirectorQuadrant Risk Management
[email protected]: +971-4-6091970Mob: +971-50-4815260