We will discuss the always-present challenges of the CISO position in an organization and determine what they are and how to overcome them in a strategic way.
• Challenges
• Ways to overcome them
• Final notes
Presenters:
Roberth Chavez has been involved with Deloitte for the last 10 years working in the Cyber-risk area since his beginnings. He is the Cyber Risk leader for Ecuador. Roberth has participated in several information security projects in Ecuador, being responsible for more than 60% of ISO 27001 certifications locally. Roberth is also a freelance facilitator for IAI, ISACA, and PECB in Ecuador.
Slides of the webinar: https://youtu.be/Ji02UNoY0yA
Role of CISO: challenges of yesterday, today and tomorrow
1. Role of CISO: challenges of
yesterday, today and tomorrow
DECEMBER 2016
2. Roberth Chavez
Vicepresident
Roberth Chavez has been involved with Deloitte for the last 10 years working in the Cyber-risk area
since his beginnings. He is the Cyber Risk leader for Ecuador. Roberth has participated in several
information security projects in Ecuador, being responsible for more than 60% of ISO 27001
certifications locally. Roberth is also a freelance facilitator for IAI, ISACA, and PECB in Ecuador.
Contact Information
+593997405581
roberth.chavez@gmail.com
www2.deloitte.com/ec/
ec.linkedin.com/in/roberthchavez
robsterchavez
4. CISO´s role
• TODAY: Provide the leadership and guidance necessary for
an organization to manage the risks related with
confidentiality, integrity and availability of the
organization's information.
5. CISO´s role (2)
• How this role has evolved?
Technology-centric implementer
Business process aware, risk-focused,
consultive professional
6. CISO´s challenges
Challenges Y T To Ways to overcome them
Lack of resources and effective team
structure
x x x - Identify your team strengths and improve them.
- Determine what motivates them and assign
them that role.
- Invest a little –prepare your team in a
progressing manner.
Weak relationships with the business
units within the organization
x x - Change role towards consultive / advisor figure
(requires getting into DNA´s organization –know
the business).
- Speak their “dialetc”.
Ineffective communications /
reporting among stakeholders and
throughout the organization
x x - Old saying: When a hen lays an egg, everybody
knows. –inform about achieved milestones.
- Get to know the audience, then prepare the
message.
- Use existing channels –do not invent the wheel.
7. CISO´s challenges
Challenges Y T To Ways to overcome them
Lack of support or trust from
executive leadership and
stakeholders
x x - Use business-centric, risk-focused approach –
identify 20% of information that moves 80%
of business.
- Justify information security investment from a
business POV.
- Keep communication to a “just measure”.
Inadequate governance including
overall strategy and processes
x x - Keep everybody who need to be involved into
the game –determine involvement approach.
- Define the necessary to plan, execute, check
and improve your infosec processes.
Insufficient funding x x x - Again: Use business-centric, risk-focused
approach –identify 20% of information that
moves 80% of business.
- Determine weak spots in the organization –
start investing internal resources, leveraging
existing infrastructure.
8. CISO´s faces
Taken from article: Deloitte reveals the four faces of the CISO, Aug 2015.
• Strategist: Drive business and information security risk strategy alignment,
innovate and instigate transformational change to manage risk through valued
investments.
• Advisor: Integrate with the business to educate, advise, and influence activities
with information security risk implications.
• Guardian: Protect business assets by understanding the threat landscape and
managing the effectiveness of the information security risk program.
• Technologist: Assess and implement security technologies and standards to
build organizational capabilities.
10. ISO 27001 Training Courses
ISO/IEC 27001 Introduction
1 Day Course
ISO/IEC 27001 Foundation
2 Days Course
ISO/IEC 27001 Lead Implementer
5 Days Course
ISO/IEC 27001 Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://www.pecb.com/iso-iec-27001-training-courses| www.pecb.com/events