Your SlideShare is downloading. ×
  • Like
Stuff my ciso says
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Stuff my ciso says


Many CISOs come from more of a technical, rather than a business, background. However, we need to be able to communicate with Senior Management, business-area leaders and users who are usually not …

Many CISOs come from more of a technical, rather than a business, background. However, we need to be able to communicate with Senior Management, business-area leaders and users who are usually not technologists. In this talk we will look at some of the common topics CISOs need to cover and discuss how to rephrase the messages to better reach a business-oriented audience. We will discuss: How to think about security risks in a way business personnel do; How to translate technical security topics into more business-friendly language, and; How to reach a broader audience with the information security message.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • Check out my, with links to twitter feed and Security and Coffee blog.
  • HedleyLamarr
  • Sheriff Bart
  • Agent Smith
  • Morpheus
  • Mr. Han
  • Bruce Lee
  • Dr. No
  • Bond
  • Dr. Evil
  • Austin Powers
  • Darth Vader
  • Yoda – Together we work with business, on-time to finish, needed controls we will have.
  • Khan
  • Kirk
  • Colonel Klink
  • Colonel Hogan


  • 1.
  • 2. Security Isn’t Easy…We didn’t get into it for the…
  • 3. The Challenge of Security Awareness Nobody cares about Security… Why? And how do we get their attention and support?
  • 4. Issues• Security viewed as a negative• Avoidance v. “risk” – Delays – Cost – Extra work – “Gotchas”
  • 5. It Can’t Be Just…
  • 6. We need sensible controls…
  • 7. … early in the process…
  • 8. Bad CISO/Good CISO
  • 9. GovernanceGovernance…We don’t needno stinkin’governance! Bad CISO
  • 10. GovernanceDevelop a clearstrategy usingan industrystandardframework.
  • 11. PolicyAll SecurityPolicy is thesame. I got Bad CISOmine from abook. “Hello Mr. Anderson”
  • 12. PolicyPolicies arebased on solidprinciples, butadapted to fittheorganization. … and prophesies from the oracle
  • 13. ComplianceWe write thepolicies. Wemake peoplesign an oath. Bad CISODone. Compliance and consequences policy
  • 14. ComplianceWe must make(understandable)policies. We mustteach. We mustassess, measureand report.
  • 15. AwarenessUsers will knowwhat they haveto do or beeliminated. Bad CISO
  • 16. AwarenessUsers can talk toSecurity. Weteach. We answerquestions.
  • 17. Senior ManagementI say whatthey want tohear.They’re not Bad CISOlisteninganyway.
  • 18. Senior ManagementGive them the infothey need andthey will beengaged.
  • 19. Projects and DevThey can pay menow or they canpay me later. Bad CISO
  • 20. Projects and DevWe work togetherwith business tofinish on-time andwith neededcontrols.
  • 21. Business NeedsI buy the bestknown securityproductsbecause they’ve Bad CISOgot to be good.
  • 22. Business NeedWorking togetherwe find control-and cost-effectivesecurity productsthat work and areusable.
  • 23. OperationsWe’ve always doneit this way. Bad CISO
  • 24. OperationsWe partner withthe business andtailor the programto meet the need.
  • 25. Stuff I Say…KISS
  • 26. Stuff I Say…No one has “read andunderstood”but definitely still responsibleSimple, direct language in policyCompliance via education
  • 27. Stuff I Say…You pay by the wordKeep policies short and sweetIf not, you’ll pay on the compliance-effort side
  • 28. Stuff I Say…People want to do the rightthingbut what is the right thing?Understandable policySimple rules
  • 29. Stuff I Say…Do What Makes SenseRisk Management approachSeek out and destroy meaningless policy/controls/practices
  • 30. Stuff I Say…Iterative ImprovementMaturity modelCObIT, SEI CMMI
  • 31. Stuff I Say…Automation!MetricsToolsReporting
  • 32. Stuff I Say…What is the business need?Find out business need in plain business language
  • 33. Stuff I Say…Have Fun!
  • 34. Discussion…Slides at, @bcaplin, +barry caplin