Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to A framework for an organization to use in determining if it needs a ciso
Similar to A framework for an organization to use in determining if it needs a ciso (20)
More from Max Justice
More from Max Justice (7)
Recently uploaded
Recently uploaded (20)
A framework for an organization to use in determining if it needs a ciso
- 1. A Statistical Approach Determining the Need for a CISO And an Associated Strategic Plan for the CISO to Provide Organizational Continuous Improvement
- 2. https://www.maximumjusticecybersecurity.com/ max@maximumjusticecybersecurity.com Welcome Max Justice Entrepreneur, Cyber SME 20 December 2020
- 3. Agenda • Executive Summary • A Statement of the Problem and Hypotheses • An Overview of the Organizational Design Does The Organization need a CISO The MJC Weighted Scoring Model: A Scorecard & Decision Analysis Tool Strategic Cybersecurity Plan Template Cybersecurity Roadmap Template • An Overview of the Data Analysis • A Strategic Plan Integrating a CISO Into Organization’s Leadership – Continuous Improvement • Conclusion Including Roadmap and Timeline With Milestones to be Achieved
- 4. Loss of C. I. A. = Loss of Executive Summary
- 5. A Statement of the Problem and Hypotheses Is the organization safe from a data breach, being held with ransomware, or a bad actor who would use technology to steal, erase or watch an organization’s data? Suppose the organization is not protected from these and other similar scenarios. In that case, there is a high probability the organization would find it a business necessity to include a CISO in the organization’s leadership team. To demonstrate this probability, the MJC process, and statistical application organizations use was created to identify and determine the need for a CISO to enable the business with good cybersecurity and cyber hygiene best practices Image Curtesy of: betanews Image Curtesy of: The Texas Record
- 6. Overview of the Organizational Design Image Curtesy of: Slideshare (Aash, 2016).
- 7. A Statement of the Problem and Hypotheses Understand the value & business need for employing a CISO Does your organization need a CISO?
- 8. Strategic Cybersecurity Plan Template *SMART – Specific, Measurable, Achievable, Realistic, & Timely **PPT is short for People, Process & Technology Define the Organizations: • Mission • Principles • Goals & • Action Plan
- 9. Cybersecurity Roadmap Template NARUC Strategy Development Framework (NARUC, 2018). Based on Industry Best Practice (NARUC) Aligned to the Organizational Strategy Built using SMART Goals & Objectives Output Provides Collaboration and Bought Into KPIs
- 10. Overview of the Data Analysis Tailored to the organization Aligned to the strategy Valued Decision Analysis Tool
- 11. A Strategic Plan to Incorporate a CISO This strategic plan is a living document delineating the high-level objectives protecting the organization’s data, internal infrastructure, and cloud environment. To provide such protection, the CISO must tie in duties and performance metrics (KPIs) achieving the following high-level strategic goals: 1. Establish Sound Policies and Planning 2. Improve Audit Log Review/Analysis Reporting 3. Maintain Operational Compliance as per Organizational Requirement 4. Identify and Enable Basic Cyber Hygiene 5. Establish and Mature a Robust Cyber Awareness Program 6. Strengthen Privacy Compliance
- 12. Conclusion SMART Goals aligned with the Organizational Strategy focused on People, Process & Technology Measure what matters Image Curtesy of
- 13. CONTRIBUTION Good CISO understands, it’s about people 1st Good Cyber-Hygiene is practiced by all and implemented by Leadership Win/Win/Win for the Organization If we are to improve trust in the system, it is imperative we use sound and timely tools, techniques and analysis over guesses, hunches and assumptions
- 14. https://www.maximumjusticecybersecurity.com/ max@maximumjusticecybersecurity.com I look forward to talking to you again in the future Next time, bring friends
Editor's Notes
- In today's plugged-in world, there are many challenges we face Many of these challenges are in the realm of cybersecurity. Unfortunately, too many executives, good cybersecurity is not worth the cost. Some executives think about the implications and risks, others do not. Today during my Mini-Skirt presentation (I call it a mini-skirt presentation because it will be long enough to cover the essentials, and short enough to hold your attention). where I will share with you how to turn this thinking on lack of understanding and the need for having a cybersecurity SME around. Today, I’m providing you with the details to my Statistical Approach to Determining the Need for a CISO, as well as share an Associated Strategic Plan for including the CISO to Provide Organizational Continuous Improvement efforts.
- executive summary, a statement of the problem and hypotheses, an overview of the organizational design, an overview of the data analysis, a strategic plan integrating a CISO into an organization’s leadership team, and a conclusion. Within the conclusion is a brief roadmap with a timeline and milestones to be achieved. The conclusion is based on the results obtained from a pilot study supporting the plan and recommendations for further action.
- Let’s just into the heart of the issue. Today, every organization is worried about cybersecurity because Information Technology is embedded in almost every organization, from communication to logistics, from operations to the supply chain; today, nearly all organizations rely on IT for critical to essential functions. Because every organization uses IT, a question arises, is the organization safe from a data breach, being held with ransomware, or a bad actor who would use technology to steal, erase or watch an organization’s data? If the organization is not protected from these and other similar scenarios, there is a high probability the organization would want to include a CISO into the organization’s leadership team. To prove this probability, I have created the Maximum Justice Cybersecurity (MJC) process and statistical application organizations use to determine the need for a CISO. Based on the MJC statistical model, it is with high certainty the organization will understand the business fit and attractiveness for a CISO. By understanding if the organization has an executable business need and requirement, the organization will also understand the value add a CISO would bring to the organization through the employment of outcomes of interest and key performance indicators (KPI).
- We now live in a world in which almost everything is plugged in and on. Because we are plugged in, we are creating an enormous amount of data. With this ever-growing amount of data, the data provides a great deal of insight, information, and detail about our customers and everyone and everything a person or thing interacts. This vastly expanding amount of data is moving us into what is known as the “Digital Age” (Satell, G.). During this transition to the digital age, organizations need to be able to definitively understand if and why an organization needs a CISO and the value a CISO adds. This digital livelihood requires an organization's leadership to know how much cybersecurity the organization needs. However, the organization’s leadership may not understand security little lone cybersecurity (Arvin, 2020). Almost every organization uses IT, and because virtually every organization uses IT, a question arises for every one of these organizations; is the organization safe from a data breach, being held with ransomware, or a bad actor who would use technology to steal, erase or watch an organization’s data? Suppose the organization is not protected from these and other similar scenarios. In that case, there is a high probability the organization would find it a business necessity to include a CISO in the organization’s leadership team. To demonstrate this probability, the MJC process, and statistical application organizations use was created to identify and determine the need for a CISO to enable the business with good cybersecurity and cyber hygiene best practices.
- If an organization needs a CISO, the leadership needs to understand they are bringing in another Chief and one who present regularly, if not reports directly to the CEO and the board of directors (Ponemon Institute. 2017). The CISO is responsible for the organization’s Confidentiality, Integrity, and Availability (Cole, 2020). By understanding the level of the CISO within the organization, the primary recommendation in this paper help the organization understand if there a business fit and if it is economically feasible As you can see, in the expanded role of the CISO, every organization needs a CISO who will enable the Business. This is not going to be an easy job, it fact, it is quite complex to provide a secure and compliant infrastructure based on leveraging the right people, process and technologies. The CISO is part of the Executive management team who reports to the BOD and the CEO. In many cases, the CISO is currently reporting to the CIO, however this is not the recommended best practice going forward. The reason is, because the CIO is only concerned with availability. However, the CISO us concerned with the confidentiality, integrity and availability of our data and has to communicate directly with the BOD, communication executives, investors, clients and other high-level stakeholders worried about these risk. The risks in our organization need to have a coordinate approach to risk management using frameworks and best practices to protect our data by ensuring our business drivers are aligned to provide confidentiality, integrity, and availability of our information.
- This output is derived from and assessed based on the completion of the Table on slide 10 - Does Your Company Need A CISO: A Scorecard & Decision Analysis Tool. This output will enable an organization to understand the value and business need to employ a CISO within the organization's executive structure. By utilizing Table 1, along with Figure 1: MJC Weighted Scoring Model: Does Your Company Need A CISO?, an organization will understand the functionality and level of responsibility of CISO would need within the organization. In addition to understanding the functionality and level of responsibility of CISO, successful CISO’s align their duties and delivery efforts, which are in line with the organization’s mission and organizational objectives (Ponemon Institute. 2017). Therefore, the CISO must build organizational level plans tied to business objectives addressing what needs to change and why it needs to change, including identifying how this strategy is aligned with the overall organizational strategy. This includes determining how the change will be implemented and how the PKIs are monitored and how progress is communicated (McCoy. 2020). Within this plan is a template any CISO, new or previously in place, can use to build out their Strategic Cybersecurity Plan, Framework, and Roadmap.
- Holistically, this document in its entirety is a template any organization, C-level executive, and CISO can use to create their organization's strategic cybersecurity plan. CISOs should leverage this document to ensure their roles and responsibilities are tied to the organization’s mission and objectives, as well as have a business fit and have KPIs to measure performance. To visualize this association, below is a template an organization or C-Level executive should use to demonstrate how a CISO’s role and responsibilities align with the organization’s mission and principles, having associated goals and actions for the CISO to take.
- There are many keys to building a cybersecurity Roadmap. One key to building a cybersecurity roadmap is to ensure the roadmap is aligned to SMART objectives and goals (NARUC, 2018). The SMART objectives define how the organization will meet the SMART goals. Albeit every will have different goals and objectives, what is important is each goal and objective is specific, measurable, achievable, realistic, and timely/time-bound. Once SMART goals and objectives are well defined, the roadmap needs a well-defined scope to operate and perform cybersecurity activities. With SMART goals and objectives, an organization can identify and track meaningful metrics from which to perform continuous improvement activities. These ongoing improvement activities as measured using key performance indicators (KPI) (NARUC, 2018). Another challenge executives have is building a successful cybersecurity roadmap, especially when there is little internal support. Like many activities and challenges in life or an organization, success does not come alone. Executives, especially CISOs, need to identify key stakeholders to help build support, show impact across the organization, enable all of the organization’s business functions and activities, and demonstrate a full understanding of all of the resources leveraged each business unit. With SMART goals and objects, a well-defined scope, KPIs, collaboration across the organization, and a full understanding of the resources, the organization has the data points from which to build talking points and communicate a plan to implement the strategy. The strategy is then reviewed for progress and to improve and mature the organization's strategic goals Combined, this process is a circular continuous improvement activity which should never stop. If it stops, there is a high probability the organization’s cybersecurity will fail to meet and deliver to the organization’s needs, objectives
- Within this presentation is a proposed large-scale plan which is aligned to an organization's larger organizational strategy and used in determining if there is a business and economic fit. In particular, this plan is to be used by the C-suite and the Board of Directors. For this plan to work, it must be aligned to the organization’s mission, and there must be buy-in from the executive ranks if success is to be achieved. To achieve buy-in, the MJC Weighted Scoring & Decision Model (MJC Weighted Scoring Model: Does Your Company Need A CISO?) is aligned with the organizational need, role, and responsibilities. Implementation within each organization needs to be addressed, planned, and calculated to minimize risk and any adverse impact on the organization’s operations. In any event, for success to be achieved, the organization must determine how to obtain stakeholder buy-in and alignment best to move forward with a large-scale initiative. In this particular case, the organization can move forward based on a data-centric approach (Ruma, 2020) in determining if it needs an executive champion known as a CISO. The MCJ Score Card and Decision Analysis tool (Does Your Company Need a CISO? A Scorecard & Decision Analysis Tool) above is a highly tailorable model. Suppose the data elements recommended in this study do not resonate with the organization, then, by all means, change the data elements and the analyst performing the MJC Weighted Scoring Model assessment (MJC Weighted Scoring Model: Does Your Company Need A CISO?) should adjust to those factors which resonate with the organization’s leadership. To complete the scoring factors, an organization should first determine the right need is addressed. The organization should only identify the top 25 needs related to the organization’s understanding of cybersecurity. The reason for only addressing the top 25 needs is to overcome analysis by paralysis (Rodriguez. 2015). Once the conditions are agreed upon, the executive leadership team should be interviewed and scored individually so as not to create bias or undergo influence from others. Upon completion of the interviews, each need is averaged to find the organizational understanding.
- 1. ESTABLISH SOUND POLICIES AND PROCEDURES One of the most effective and least expensive means of preventing serious cybersecurity incidents is establishing a policy which clearly defines organizational security objectives. The CISO will lead in these activities. The CISO can best support the organization by analyzing its current policies, procedures, and plans and identifying a plan to mature the organization’s policies and procedures. The CISO will oversee the security team when performing a gap analysis on what policies and plans need to be developed. A short list of findings should be presented in an accompanying tactical plan. 2. IMPROVE AUDIT LOG REVIEW/ANALYSIS REPORTING As defined by NIST 800-137 (Dempsey, Chawla, Johnson, Johnson, Jones, Orebaugh, School, & Stine. 2011), a continuous monitoring plan must be a part of any comprehensive cybersecurity protection program and is a requirement in all federal data systems and highly recommended for any organization using information technology. The ability to detect and respond to suspected cybersecurity incidents in a real-time fashion is critical to intruder detection and the prevention of data obfuscation. Collecting and storing event and machine log data without real-time analysis and alerting only provides evidence a breach has occurred in the past. In contrast, automated data analysis tools provide real-time analysis of event machine data logs and generation of alerts based upon suspected log anomalies so that a timely response can occur. There are many event log management tools an organization could use to manage its ever-growing number of logs. Based upon this researcher's 25 plus years of industry experience, if the organization can afford it, SPLUNK Enterprise Log Management and Analysis is an excellent piece of software many organizations use as their primary cybersecurity tool. In addition to log aggregation and storage, SPLUNK Enterprise provides real-time machine analysis of all logs collected and uses machine intelligence to analyze and alert on suspected anomalies and intrusions. This product can detect, for example, a nefarious user who is downloading extraordinary amounts of data or is accessing the system at inappropriate hours. By monitoring remote user access, the organization is much better equipped to detect breaches as they occur and respond accordingly. 3. MAINTAIN OPERATIONAL COMPLIANCE AS PER ORGANIZATIONAL REQUIREMENTS In many cases, organizations in many industries are required to maintain compliance with numerous regulatory agencies and mandates. The National Institute of Standards and Technologies (NIST) published the SP-800-53 Risk Management Framework (RMF) (Joint Task Force Transformation Initiative. 2013) is a great guide in meeting any Cybersecurity Maturity Model Certification (CMMC), Continuous Diagnostics and Mitigation (CDM), The Federal Information Security Modernization Act of 2014 (113th Congress. 2014), or Office of Management and Budget (OMB) mandates. Due to the rigors of these requirements, the use of automated tools for vulnerability detection and management, risk analysis, and regulatory compliance plays an integral part in the compliance process. QMULOS Q-Compliance software is an add-on to SPLUNK Enterprise, and it is another tool a CISO can use to provide continuous monitoring and assessment of compliance requirements. Utilizing event log and machine data analysis, Q-Compliance monitors hardware and software asset inventories and configurations, authoritative user action records, and other data sources to automate compliance monitoring and drive real-time dashboards for cybersecurity and administrative staff members. It combines real-time monitoring of machine data within the context and workflows of an IT Governance, Risk, and Compliance (IT GRC) tools. QMULOS Q-Compliance adheres to the NIST Risk Management Framework (RMF) and NIST SP 800-53 Revision 4 (Joint Task Force Transformation Initiative. 2013) and provides real-time control monitoring on the SPLUNK Enterprise platform. With SPLUNK and QMULOS fully deployed, if a system configuration baseline is changed, the tools will flag the security team to inform the System Owner and provide immediate remediation. The system owners would also be required to revert systems to the baseline configuration. In combination with established processes, these tools will reduce remediation timelines by eliminating the need for manual data collection. Another tool an organization should leverage is Tenable’s NESSUS Vulnerability Scanner. This scanner solution provides numerous key vulnerability management and assessment functions. NESSUS scans for open security vulnerabilities, rogue hardware additions to the network, and comprehensive hardware and software inventories. Scans can be run at any time, and organizations can use NESSUS for scheduled and on the spot scans to meet the organization's needs. The scan results' output must be reviewed and analyzed by the security team to detect and address vulnerabilities or validate a toolset has implemented a change to mitigate the risk. 4. IDENTIFY AND ENABLE BASIC CYBER HYGIENE Basic cyber hygiene includes building a strong foundation into a secure cybersecurity program. Just as building a house should start with good planning, quality materials, and a knowledgeable construction crew, launching a new online data system requires executing fundamental steps to get off to a “good start.” Vulnerability management begins when a new data system is placed into operations and includes testing as well as applying patches or fixes to newly discovered weaknesses or vulnerabilities. Additionally, organizations should ensure timely and proactive vulnerability management is maintained. The organization’s infrastructure providers and all third-party vendors must maintain software and security patches and conduct POA&M remediation to support the good cyber-hygiene program. FISMA compliance (113th Congress. 2014) requires high, moderate, and low findings to be resolved within 30, 60, and 90 days. To do so, the organization’s security team will develop new dashboards in Nessus for application and compliance scan, which will provide dashboard views of vulnerability resolution, ensuring resolution within the required timeframe. The CISO should be accountable for sending automatic notifications to system owners and team members to improve the response time, especially over any manual process. 5. ESTABLISH AND MATURE A ROBUST CYBERSECURITY AWARENESS Study after study has demonstrated the majority of cybersecurity breaches start with an end-user responding to a phishing, spear phishing, or other-directed social engineering attack (Zunier, 2016; Ranger, 2019; & Oltsik, 2014). Nearly 91% of ransomware infestations have occurred because an unsuspecting end-user opened and clicked on a link to a document in an email (Zunier, 2016). No matter how many levels of security a Defense-In-Depth strategy contains, preventing end-users from self-infecting their workstations, thereby causing corruption of the entire data system, is paramount to a comprehensive cybersecurity plan. A key but often-overlooked part of the Defense-In-Depth strategy is a continuous end-user education program. Money spent on educating end-users pays many dividends, as preventing an event is cheaper and causes much less impact than cleaning up after a system breach and data obfuscation. Therefore, the CISO will utilize several tools to educate the organization’s end-users in avoiding unnecessary problems. Webinars, annual training and security and privacy awareness tips in the organization’s newsletters must be an integral part of the organization's security environment and good cyber-hygiene best practice. End-users should complete an annual cybersecurity awareness briefing includes training on the most common types of social engineering techniques, such as phishing, spear phishing, and other email-based approaches, as well as telephone-based hacking methods. To earn the required annual training certificate, users must pass a test after completing the briefing. Organizations should also utilize an email-based anti-phishing program. A random sampling of end-users will receive a spear phishing email and then be tested on how they respond and react to the email. End-users who respond inappropriately will receive brief training on the proper way to recognize phishing attacks and on carrying out the appropriate response. 6. STRENGTHEN PRIVACY COMPLIANCE The Privacy Act of 1974, as amended at 5 U.S.C. 552a (National Archives. 2020), requires the secure handling of Personally Identifiable Information (PII), including social security numbers, birthdates, etc., which could be used to steal the identity of an individual. A review and analysis of privacy procedures must be conducted regularly to ensure compliance with federally mandated controls on Personally Identifiable Information and the systems housing PII data. Recent events, including the Chinese breach of OPM involving the exfiltration of over 21 million security clearance applications (Fruhlinger, 2020) and the Equifax hack of over 141 million credit bureau records (Lobosco, 2017), serve as potent reminders of the threats from bad actors on such sensitive data. The ongoing review and analysis will ensure that general policies, guidance, and templates comply with privacy requirements.
- Cybersecurity is a continuous process requiring conscientious diligence and focus. Cybersecurity presents challenges, as bad actors are always ahead of the learning curve and will require we remain in a heightened state of readiness. The goals outlined in this document are intended to maintain an organization’s data systems in the best, most secure condition possible utilizing current and emerging technologies and techniques. As demonstrated above, if an organization has a business fit and is economically feasible, the organization should modify its organizational structure by bringing in a CISO to manage, monitor, and control changes to the operational environment. Additionally, with the implementation of SMART goals and objectives, organizational leaders will understand the why and why the strategy to implement a CISO is aligned with the overall organizational strategy. Finally, within the SMART goals and objects of this framework, the identification of how the change will be implemented (who, what, when), including how the organizations KPIs is monitored and how progress towards achieving the KPIs are communicated.
- My contribution to you: To learn what it really means to bring a CISO into an organization and the impact you will see.
- You are still here – Thank you for making it this far, I’m impressed. For your hard work, I will leave you with a smile. Since it’s Xmax time, think about this -The only time nothing is negative is under the Christmas tree. This year, when counting down to the new year, please stop at zero to avoid the negative numbers or we will be here all night. What’s was Beethoven’s favorite fruit? Ba-na-na-naaaaaaa! Ba-na-na-naaaaaaa! A photon is going through airport security and the TSA agent asks it if there is any luggage – The phonton says – No, I’m traveling light! The bartender says – We don’t serve your kind here. Then A time traveler walks into a bar.