Sans 20 CSC: Connecting Security to the Business Mission


Published on

You know the old break-up line, “it’s not you, it’s me….”? As a CISO, what if when you get your few minutes to discuss security with the C-suite, board of directors or mission leadership, it really turns out to be you not them who failed in the communication?

Lack of success in communicating with your C-suite could lead to a breakup sooner or later. I’ve had hundreds of conversations with and about CISOs communicating – - on topics ranging from security breach information, status, performance metrics, risk, visualizations, or overall security posture with their executive leadership.

And largely, it turns out to be no surprise that communicating security information is incredibly difficult, especially with non-technical, disinterested, or time-constrained C-suite executives.

Success with SANS

The initial UMASS Security Program was based on the ISO/IEC 27002 controls framework, then starting in 2011, the SANS 20 CSC were added. Today’s program includes both. The ISO controls focus on program management, compliance and process from an IT auditor’s perspective, while the SANS controls focus on technology means they are better aligned with IT operations.

Prior to 2011, Wilson was having difficulty communicating with executive management (CIOs and others) – it was difficult to translate the purchase and implementation issues surrounding firewalls, anti-virus, and vulnerability scanning into easily familiar business terms and concepts relevant to management and process.

However, when he ditched trying to explain the ISO/IEC 27002 security controls framework in favor of using the SANS 20 CSC, he was able to communicate much more effectively with his C-suite for the first time in a way they could absorb and support.

In addition, he and his team have been able to map out a measurable and actionable security program based on SANS that he regularly succeeds in communicating to his executive team.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • And this is just for fun. Sorry if you aren’t into Star Trek the Next Generation. This certainly underscores that when you don’t have business context (such as the context for the mission - ) you can’t relate. That’s how the c-suite might feel when they get ‘jargon’d’ and don’t really get the point.
  • ×