CISOs are from Mars, CIOs are from Venus

697 views
574 views

Published on

Most organizations have a CIO; many have a CISO. These key leadership positions often approach solutions differently and have different motivations. The CIO must deliver IT, automation, innovation and efficiency. The CISO is tasked with assuring adherence to security frameworks and regulatory standards, and protecting against, and responding to, vulnerabilities and incidents. These mandates can conflict. And often the CISO reports to the CIO. We will take a light-hearted look at questions including: What are the issues?; Are CISOs and CIOs from different planets?; Can we align to meet critical business needs, deliver value and protect the organization?

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
697
On SlideShare
0
From Embeds
0
Number of Embeds
275
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Check out my about.me, with links to twitter feed and Security and Coffee blog.
  • CISO reports to CIO – Conflict of Interest? Security overruled?
    CISO reports to {CRO, CEO, CxO} - Visibility into IT?; Budget?
  • CISO - Protection of data; Minimum necessary
    CIO - What happens in the boardroom, stays in the boardroom
  • CISO - Data in correlates with data out; Chain of custody of log and forensic data; Coherence of financial data
    CIO - Transparency; Coherence of financial data
  • CISO – Probability/Impact of Threats
    CIO - Not meeting business needs
  • Solutions? Opportunities!
  • Mobile/BYOD/Cloud
    “R”OI
    Vendor Management
    Management – Vendor; Configuration; Incident; Risk
    Lifecycle/SDLC
    Monitoring
    Configuration management
    Incident Response
    Keep the auditors happy
    Keep the board happy
  • Check out my about.me, with links to twitter feed and Security and Coffee blog.
  • CISOs are from Mars, CIOs are from Venus

    1. 1. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org CISOs are from Mars CIOs are from Venus Barry Caplin Tues. May 12, 2015, 1:30P
    2. 2. CISOs are from Mars CIOs are from Venus Secure360 Tues. May 12, 2015 1:30P bcaplin1@fairview.org bc@bjb.org @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com Barry Caplin VP, Chief Information Security Officer Fairview Health Services
    3. 3. http://about.me/barrycaplin securityandcoffee.blogspot.com @bcaplin
    4. 4. Fairview Overview • Not-for-profit established in 1906 • Academic Health System since 1997 partnership with University of Minnesota • >22K employees • >3,300 aligned physicians  Employed, faculty, independent • 7 hospitals/medical centers (>2,500 staffed beds) • 40-plus primary care clinics • 55-plus specialty clinics • 47 senior housing locations • 30-plus retail pharmacies 4 2012 data •5.7 million outpatient encounters •74,649 inpatient admissions •$2.8 billion total assets •$3.2 billion total revenue
    5. 5. Who is Fairview? A partnership of North Memorial and Fairview
    6. 6. 6 Different worlds
    7. 7. The Sword of Anti-Virus 7
    8. 8. The Light Saber of Endpoint Protection 8
    9. 9. The Shield of Next-Gen Firewall 9 Next Gen Firewall
    10. 10. The Scepter of IT Budget 10
    11. 11. The Cloud of… 11
    12. 12. Different worlds – reporting structure CISO reports to CIO • Security overruled? CISO reports to {CRO, CEO, CxO} • Visibility into IT? • Budget? 12
    13. 13. Different languages 13
    14. 14. • Nation States • Hacktivists Threats • Malicious attackers • Malware 14 • Over-time; over-budget • Outsourcing
    15. 15. Confidentiality • Protection of Data • Minimum Necessary 15 What happens in the boardroom, stays in the boardroom
    16. 16. • Coherence of financial data Integrity • Data in correlates with data out • Chain of custody of log and forensic data 16 • Transparency • Coherence of financial data
    17. 17. Risk • Probability/Impact of Threats • Data Breach 17 • Not meeting business needs • Data Breach
    18. 18. IO 18 CIO C onsidering nterim pportunities
    19. 19. OSCI 19 CISOareer s ver oon
    20. 20. Meet in the middle 21
    21. 21. Unite Against the Common Enemy 22
    22. 22. Key Opportunities Mobile/BYO(x)/Cloud • Business pressure to use mobile/BYO • Costs v SaaS • Figure out the business use/need • Solve it! 24
    23. 23. Key Opportunities “V”OI • Not just cost center • CIO/CFO need budget justification • Not just hard $ • Value: Efficiency Improvements – service, capability Maturity Tool rationalization 25
    24. 24. Key Opportunities Management – Vendor; Configuration; Incident; Risk • Security v IT definition • Metrics and Measures • Example ITIL incident process meshes with Security event/incident/investigation process 26
    25. 25. Key Opportunities Lifecycle/SDLC • Process for project efficiency • Security requirements defined early • Help meet completion target 27
    26. 26. Key Opportunities Keep the auditors happy • External/Internal/Financial • Easier audits = less pressure on IT resources • Fewer findings = less hassle for CIO 28
    27. 27. Key Opportunities Keep the board happy • Good Communication • Better opportunities and funding for all! 29
    28. 28. Good Things are sure to follow 30
    29. 29. http://about.me/barrycaplin securityandcoffee.blogspot.com @bcaplin

    ×