As technology’s role in business success increases, so does the importance of cybersecurity. This session will discuss how the role of the CISO is evolving from a technical position to a business-focused position, and the business and communication skills that will become critical.
(Source : RSA Conference USA 2017)
3. #RSAC
More visible
No longer a back office technology expert
Accountable as an Innovator and StrategicBusiness leader
Must be able to work across company leadership:
Engineering, IT, Legal, Risk, Lines of Business, Public
Relations, etc.
How has our role has CHANGED?
4. #RSAC
3 Simple Questions to ask Yourself
1. Am I helping to drive Innovation or
am I slowing it down?
3. Am I communicating my security
strategy effectively to my Executive team
and Board?
2. Am I an “Enforcer” or “Enabler”?
13. #RSAC
So, what can you do?
13
Get InfoSec on the Scrum Teams
Secure application code, infrastructure AND environments from the
start
Automate and integrate tools in the build process
Build in compliance auditing and reporting
15. #RSAC
CIOs AND employees now have a toolbox of
“purpose-built” SaaS tools architected and
designed with consumer-grade features
16. #RSAC
The widening perimeter of SaaS based tools in use
by employees is pushing CISOs into a position of
saying WAIT or NO saying rather than saying HOW
“Shadow IT is back stronger then ever!”
17. #RSAC
… AND CISO’s have a role in creating business
value and employee enablement
18. #RSAC
So, what can you do?
monitor the perimeter for the use of these
cloud applications by your employees
19. #RSAC
…and
enable those applications that are enterprise
ready
they have a management console
user management via invitation and self-subscription
2FA & encryption tools
evaluate new ones that meet this criteria
24. #RSAC
More than 70% indicated they have significant concerns
about risk from third-party software
25. #RSAC
Meeting Board Expectations
Breach readiness and
breach response are hot
discussion topics
They want to know you
have a programmatic
approach
Speaking strategically can
gain confidence in your
security agenda
26. #RSAC
Concepts to get across
There is no sure thing as a
breach-free organization
Cyber security is a company
wide responsibility
Cyber security needs to be
thought of as a long term
strategy
27. #RSAC
What they want to know about
Breaches in similar industries
Key trends in successful attacks
Who is out to attack our company and why
28. #RSAC
What you also want them to know
Describe top 5 cyber risks the company faces and
level of exposure to each
Let them know what you’re working on
How you compare to peers
How your program is stacking up
29. #RSAC
So, what can you do?
You will only get 5-15 minutes devoted to the cybersecurity topic
Prepare an appendix for anything beyond a few key indicators
Do not use acronyms - think “denial of service” not DDoS
Use visuals not text
Use analogies & comparatives
Provide a scorecard to illustrate progress
32. #RSAC
So …Who are You?
1. Innovation Driver?
3. Communicator?
2. “Enabler”?
33. #RSAC
Key Takeaways
As the CISO, you need to embrace the role of driving innovation
Your company needs you to “enable” employees to be more
productive
Your Executive Teams and Boards need you to provide an
accurate picture of your InfoSec program and how you are
measuring up
At the end of the day, they want to have a good story that we did
everything possible to prevent and prepare for a breach
34. #RSAC
34
Next week you should:
See where your team is slowing engineering innovation
Assess your awareness of the use of cloud applications by your employees
Ensure you know the Information Security concerns of your Board
In the next quarter you should:
Focus on you skills as a Driver of Innovation and as a Communicator
Engage with peers to develop your Board Update Template
What to do next…