0
http://about.me/barrycaplinsecurityandcoffee.blogspot.com
Security Isn’t Easy…We didn’t get into it for the…
The Challenge of Security Awareness  Nobody cares about Security…      Why?      And how do we get their attention and  su...
Issues•   Security viewed as a negative•   Avoidance v. “risk”    – Delays    – Cost    – Extra work    – “Gotchas”
It Can’t Be Just…
We need sensible controls…
… early in the process…
Bad CISO/Good CISO
GovernanceGovernance…We don’t needno stinkin’governance!                Bad CISO
GovernanceDevelop a clearstrategy usingan industrystandardframework.
PolicyAll SecurityPolicy is thesame. I got     Bad CISOmine from abook.                  “Hello Mr. Anderson”
PolicyPolicies arebased on solidprinciples, butadapted to fittheorganization.                  … and prophesies from the o...
ComplianceWe write thepolicies. Wemake peoplesign an oath.   Bad CISODone.                Compliance and consequences policy
ComplianceWe must make(understandable)policies. We mustteach. We mustassess, measureand report.
AwarenessUsers will knowwhat they haveto do or beeliminated.     Bad   CISO
AwarenessUsers can talk toSecurity. Weteach. We answerquestions.
Senior ManagementI say whatthey want tohear.They’re not    Bad CISOlisteninganyway.
Senior ManagementGive them the infothey need andthey will beengaged.
Projects and DevThey can pay menow or they canpay me later.              Bad CISO
Projects and DevWe work togetherwith business tofinish on-time andwith neededcontrols.
Business NeedsI buy the bestknown securityproductsbecause they’ve   Bad CISOgot to be good.
Business NeedWorking togetherwe find control-and cost-effectivesecurity productsthat work and areusable.
OperationsWe’ve always doneit this way.             Bad CISO
OperationsWe partner withthe business andtailor the programto meet the need.
Stuff I Say…KISS
Stuff I Say…No one has “read andunderstood”but definitely still responsibleSimple, direct language in policyCompliance ...
Stuff I Say…You pay by the wordKeep policies short and sweetIf not, you’ll pay on the compliance-effort side
Stuff I Say…People want to do the rightthingbut what is the right thing?Understandable policySimple rules
Stuff I Say…Do What Makes SenseRisk Management approachSeek out and destroy meaningless policy/controls/practices
Stuff I Say…Iterative ImprovementMaturity modelCObIT, SEI CMMI
Stuff I Say…Automation!MetricsToolsReporting
Stuff I Say…What is the business need?Find out business need in plain business language
Stuff I Say…Have Fun!
Discussion…Slides at http://slideshare.net/bcaplin       barry.caplin@state.mn.us bc@bjb.org, @bcaplin, +barry caplin   se...
Stuff my ciso says
Stuff my ciso says
Stuff my ciso says
Stuff my ciso says
Stuff my ciso says
Upcoming SlideShare
Loading in...5
×

Stuff my ciso says

510

Published on

Many CISOs come from more of a technical, rather than a business, background. However, we need to be able to communicate with Senior Management, business-area leaders and users who are usually not technologists. In this talk we will look at some of the common topics CISOs need to cover and discuss how to rephrase the messages to better reach a business-oriented audience. We will discuss: How to think about security risks in a way business personnel do; How to translate technical security topics into more business-friendly language, and; How to reach a broader audience with the information security message.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
510
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Check out my about.me, with links to twitter feed and Security and Coffee blog.
  • HedleyLamarr
  • Sheriff Bart
  • Agent Smith
  • Morpheus
  • Mr. Han
  • Bruce Lee
  • Dr. No
  • Bond
  • Dr. Evil
  • Austin Powers
  • Darth Vader
  • Yoda – Together we work with business, on-time to finish, needed controls we will have.
  • Khan
  • Kirk
  • Colonel Klink
  • Colonel Hogan
  • Transcript of "Stuff my ciso says"

    1. 1. http://about.me/barrycaplinsecurityandcoffee.blogspot.com
    2. 2. Security Isn’t Easy…We didn’t get into it for the…
    3. 3. The Challenge of Security Awareness Nobody cares about Security… Why? And how do we get their attention and support?
    4. 4. Issues• Security viewed as a negative• Avoidance v. “risk” – Delays – Cost – Extra work – “Gotchas”
    5. 5. It Can’t Be Just…
    6. 6. We need sensible controls…
    7. 7. … early in the process…
    8. 8. Bad CISO/Good CISO
    9. 9. GovernanceGovernance…We don’t needno stinkin’governance! Bad CISO
    10. 10. GovernanceDevelop a clearstrategy usingan industrystandardframework.
    11. 11. PolicyAll SecurityPolicy is thesame. I got Bad CISOmine from abook. “Hello Mr. Anderson”
    12. 12. PolicyPolicies arebased on solidprinciples, butadapted to fittheorganization. … and prophesies from the oracle
    13. 13. ComplianceWe write thepolicies. Wemake peoplesign an oath. Bad CISODone. Compliance and consequences policy
    14. 14. ComplianceWe must make(understandable)policies. We mustteach. We mustassess, measureand report.
    15. 15. AwarenessUsers will knowwhat they haveto do or beeliminated. Bad CISO
    16. 16. AwarenessUsers can talk toSecurity. Weteach. We answerquestions.
    17. 17. Senior ManagementI say whatthey want tohear.They’re not Bad CISOlisteninganyway.
    18. 18. Senior ManagementGive them the infothey need andthey will beengaged.
    19. 19. Projects and DevThey can pay menow or they canpay me later. Bad CISO
    20. 20. Projects and DevWe work togetherwith business tofinish on-time andwith neededcontrols.
    21. 21. Business NeedsI buy the bestknown securityproductsbecause they’ve Bad CISOgot to be good.
    22. 22. Business NeedWorking togetherwe find control-and cost-effectivesecurity productsthat work and areusable.
    23. 23. OperationsWe’ve always doneit this way. Bad CISO
    24. 24. OperationsWe partner withthe business andtailor the programto meet the need.
    25. 25. Stuff I Say…KISS
    26. 26. Stuff I Say…No one has “read andunderstood”but definitely still responsibleSimple, direct language in policyCompliance via education
    27. 27. Stuff I Say…You pay by the wordKeep policies short and sweetIf not, you’ll pay on the compliance-effort side
    28. 28. Stuff I Say…People want to do the rightthingbut what is the right thing?Understandable policySimple rules
    29. 29. Stuff I Say…Do What Makes SenseRisk Management approachSeek out and destroy meaningless policy/controls/practices
    30. 30. Stuff I Say…Iterative ImprovementMaturity modelCObIT, SEI CMMI
    31. 31. Stuff I Say…Automation!MetricsToolsReporting
    32. 32. Stuff I Say…What is the business need?Find out business need in plain business language
    33. 33. Stuff I Say…Have Fun!
    34. 34. Discussion…Slides at http://slideshare.net/bcaplin barry.caplin@state.mn.us bc@bjb.org, @bcaplin, +barry caplin securityandcoffee.blogspot.com
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×