Upload
trankhue
View
215
Download
1
Embed Size (px)
Citation preview
Security Profiles of the CISO Vanessa Pegueros – DocuSign
DOCUSIGN CONFIDENTIAL 1
CISO – Step Child C-level
Putting ego aside for a moment…. § Is it really an effective title? § What other C-level has such a questionable level of authority? § No common definition of role across companies § Span of control is variable § Control of budget is indirect § Does the title help us accomplish our mission?
DOCUSIGN CONFIDENTIAL 2
With Title Comes Authority… It Depends
Traditional “C” level titles § CIO § CTO § COO § CFO
DOCUSIGN CONFIDENTIAL 3
Non “C” title but accountable to CEO § HR § Marketing § Sales § Legal
Newer “C” Titles § CPO § CMO § CRO § CISO
Real authority and legitimacy comes from a direct tie to Revenue or Controlling Cost
Our function sits on uneven ground
§ CISO primarily deals with a unquantifiable topic: Risk § Difficult to prove value of something unquantifiable § Risk will never be quantified in a universal way because it is
personal § Everyone feels differently about risk § The feelings are unique to each individual
§ Our effectiveness is totally dependent on the culture and company
DOCUSIGN CONFIDENTIAL 4
Different Companies Want Different Things
§ Small company – The all in one CISO - “I want a CISO who can talk to the Board and program our Firewall”
§ High growth company where security matters – The agile CISO – “ I want someone to go sell security, we just assume you’ll take care of rest”
§ High growth company where security doesn’t matter- The necessary but evil CISO, “ Just get us PCI compliance and we don’t want to see you anymore”
§ The large slow growth regulated company- The auditor front person, “Just get us through the audit”
§ The company in decline or recently breached- The expendable CISO, “we just need someone to fire when it goes bad”
DOCUSIGN CONFIDENTIAL 5
You must understand the culture of the company you are working for
CISO Skills Demanded Have Changed Over Time
DOCUSIGN CONFIDENTIAL 6
1990s 2007 2009 2011 2002 2005
Customer awareness relative to security grows
Ski
ll D
efin
ing
Fact
ors
CIS
O S
kills
Nee
ded
SOX PCI
Advanced Hacking
2012 Future
iPhone
Heartland TJ Max
Distributed Computing
Stuxnet
DDoS against FIs
Technical Compliance
Sales
Law Enforcement
Enforcer
Public Relations
Risk Management? Business
Enablement
CISO Profiles
§ The Tech CISO § The Compliance CISO § The Conference Circuit CISO § The Sales CISO § The Law Enforcement/FBI/Secret Service CISO
DOCUSIGN CONFIDENTIAL 7
The Tech CISO
§ Was an engineer still likes to get his/her “hands dirty” with tech details
§ Wins the battles with technical acumen § Stays out of the public eye § Doesn’t quite understand why the
business doesn’t support the very important security initiatives
§ Feels as though most in the company just “don’t get it”
DOCUSIGN CONFIDENTIAL 8
The Compliance (Risk) CISO
§ Typically a non technical background § Tends to like to follow the rules, “you are
breaking the policy” § Wins battles based on process and
threat of non-compliance § That’s not in the policy, I have not idea
what to do
DOCUSIGN CONFIDENTIAL 9
The Conference Circuit CISO
§ Make as many speeches as possible § Gets on as many advisor boards as
possible § Great speaker and presenter, nice suits
and haircut always sounds very impressive § Doesn’t really engage in battles § Self promotion is a very important factor § Doesn’t have to time to actually manage
their team/function
DOCUSIGN CONFIDENTIAL 10
The Sales CISO
§ Spends most of time with customers § May or may not understand security § Talks at customer conferences § Obsessed with closing the deal § Wins battles based on saying, “the
customer wants it” § Also doesn’t not have time to
manage team
DOCUSIGN CONFIDENTIAL 11
The Law Enforcement/FBI/Secret Service CISO
§ Former Law Enforcement/FBI/Secret Service
§ Has a double life filled with intrigue and mystery
§ Is exciting to the C level § Creates instant cred with customers § Not as technical as people assume § Win battles out of fear the opponent may
“disappear”
DOCUSIGN CONFIDENTIAL 12
A New Model
§ The CISO is not a title, it is a function and requires multiple people
§ The functions are equally relevant to accomplishing the larger goals
§ Currently no good org model to accommodate this challenge and the title does not help § CSO and CISO titles may become more common in a single org
§ Must figure out how to contribute to revenue
DOCUSIGN CONFIDENTIAL 13
Cloud Providers Need all kinds of Security
§ Sales is driving credibility to the Security team § Having the cool law enforcement leader only helps
§ Compliance is a differentiator among competitors § Attending conferences is the marketing arm of Security § Technically executing is necessary to deal with the real
security threat landscape
DOCUSIGN CONFIDENTIAL 14
Recommendations
§ Understand who you are and what you are good at § Be brutally honest
§ Categorize your company, growth level, importance of security § Understand what your company wants from you, if not a
match, move on § Always have plan B ready, you could be fired at any moment
whether at fault or not
DOCUSIGN CONFIDENTIAL 15