Stuff my ciso says

  • 454 views
Uploaded on

Many CISOs come from more of a technical, rather than a business, background. However, we need to be able to communicate with Senior Management, business-area leaders and users who are usually not …

Many CISOs come from more of a technical, rather than a business, background. However, we need to be able to communicate with Senior Management, business-area leaders and users who are usually not technologists. In this talk we will look at some of the common topics CISOs need to cover and discuss how to rephrase the messages to better reach a business-oriented audience. We will discuss: How to think about security risks in a way business personnel do; How to translate technical security topics into more business-friendly language, and; How to reach a broader audience with the information security message.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
454
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
6
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Check out my about.me, with links to twitter feed and Security and Coffee blog.
  • HedleyLamarr
  • Sheriff Bart
  • Agent Smith
  • Morpheus
  • Mr. Han
  • Bruce Lee
  • Dr. No
  • Bond
  • Dr. Evil
  • Austin Powers
  • Darth Vader
  • Yoda – Together we work with business, on-time to finish, needed controls we will have.
  • Khan
  • Kirk
  • Colonel Klink
  • Colonel Hogan

Transcript

  • 1. http://about.me/barrycaplinsecurityandcoffee.blogspot.com
  • 2. Security Isn’t Easy…We didn’t get into it for the…
  • 3. The Challenge of Security Awareness Nobody cares about Security… Why? And how do we get their attention and support?
  • 4. Issues• Security viewed as a negative• Avoidance v. “risk” – Delays – Cost – Extra work – “Gotchas”
  • 5. It Can’t Be Just…
  • 6. We need sensible controls…
  • 7. … early in the process…
  • 8. Bad CISO/Good CISO
  • 9. GovernanceGovernance…We don’t needno stinkin’governance! Bad CISO
  • 10. GovernanceDevelop a clearstrategy usingan industrystandardframework.
  • 11. PolicyAll SecurityPolicy is thesame. I got Bad CISOmine from abook. “Hello Mr. Anderson”
  • 12. PolicyPolicies arebased on solidprinciples, butadapted to fittheorganization. … and prophesies from the oracle
  • 13. ComplianceWe write thepolicies. Wemake peoplesign an oath. Bad CISODone. Compliance and consequences policy
  • 14. ComplianceWe must make(understandable)policies. We mustteach. We mustassess, measureand report.
  • 15. AwarenessUsers will knowwhat they haveto do or beeliminated. Bad CISO
  • 16. AwarenessUsers can talk toSecurity. Weteach. We answerquestions.
  • 17. Senior ManagementI say whatthey want tohear.They’re not Bad CISOlisteninganyway.
  • 18. Senior ManagementGive them the infothey need andthey will beengaged.
  • 19. Projects and DevThey can pay menow or they canpay me later. Bad CISO
  • 20. Projects and DevWe work togetherwith business tofinish on-time andwith neededcontrols.
  • 21. Business NeedsI buy the bestknown securityproductsbecause they’ve Bad CISOgot to be good.
  • 22. Business NeedWorking togetherwe find control-and cost-effectivesecurity productsthat work and areusable.
  • 23. OperationsWe’ve always doneit this way. Bad CISO
  • 24. OperationsWe partner withthe business andtailor the programto meet the need.
  • 25. Stuff I Say…KISS
  • 26. Stuff I Say…No one has “read andunderstood”but definitely still responsibleSimple, direct language in policyCompliance via education
  • 27. Stuff I Say…You pay by the wordKeep policies short and sweetIf not, you’ll pay on the compliance-effort side
  • 28. Stuff I Say…People want to do the rightthingbut what is the right thing?Understandable policySimple rules
  • 29. Stuff I Say…Do What Makes SenseRisk Management approachSeek out and destroy meaningless policy/controls/practices
  • 30. Stuff I Say…Iterative ImprovementMaturity modelCObIT, SEI CMMI
  • 31. Stuff I Say…Automation!MetricsToolsReporting
  • 32. Stuff I Say…What is the business need?Find out business need in plain business language
  • 33. Stuff I Say…Have Fun!
  • 34. Discussion…Slides at http://slideshare.net/bcaplin barry.caplin@state.mn.us bc@bjb.org, @bcaplin, +barry caplin securityandcoffee.blogspot.com