The document summarizes Katherine Brocklehurst's presentation at the 2013 SANS CSC Summit where she discussed the role and challenges of the Chief Information Security Officer (CISO). Some key points included that the CISO needs business experience and the ability to communicate security issues to executives in a way that shows relevance to the organization's mission. The presentation also discussed using metrics and dashboards to provide visibility into the organization's security posture and risks across different business units and technical platforms to report to various stakeholders.
8. I need to…
• Effectively govern the privacy and
security of our digital assets
• Communicate the value of security to
my business/mission
• Connect security to our mission
• Establish relevance with my Board,
executives and colleagues
• Gain insights into our information
security cyber-risks
• Measure, compare and contrast our
risk posture
• Get more visibility
[I don’t know what I don’t know]
• Provide timely reports for many
different constituents
27. SANS 1&2 Security Control Coverage
“To know that I’ve got
a device out there
that’s not being
monitored is even
closer to my heart.”
-T/CISO, Telecom
28. “Once our remediation
process is in place, we will
roll in Vulnerability metrics.”
PRIORITY
BUSINESS UNITS
100
100
100
80
60
45
40
Index
Target
Range
F
a
in
e
nc
R
&D
Ma
e
rk
g
tin
n
ou
cc
A
g
tin
eb
W
s
ice
rv
Se
100
100
80
60
0
0
-ISSM, State/Local/Fed
80
75
100
90
80
Index
Target
Range
100
100
l
cia
iti
Cr
gh
Hi
m
iu
ed
M
PLATFORM FAMILY
“We aren’t good at
vulnerability assessment right
now. We will add the VA factor
later.”
-VP IT Operations & Security,
Industrials
Index
Target
Range
0
c
Mi
100
100
100
80
100
80
80
Security Control Coverage
ft
so
ro
is
lar
So
L
ux
in
29. “It doesn’t matter where you
set the initial benchmark.
Set it and run the data for 6
months, see how your
Business Units behave.”
100
100
Index
Target
Range
45
a
in
e
nc
D
R&
e
rk
Ma
g
tin
n
ou
cc
A
PLATFORM FAMILY
0
100
100
100
80
Index
Target
Range
40
Index
Target
Range
80
80
ft
so
ro
c
Mi
is
ar
ol
S
x
nu
Li
g
tin
eb
W
s
ice
rv
Se
100
100
80
60
0
0
100
90
80
75
60
100
100
100
80
F
-VP, Big Oil
100
80
-CISO, Financial Services
“The math is irrelevant.
Whether it goes up or down
has the meaning.”
PRIORITY
BUSINESS UNITS
al
ici
rit
C
gh
Hi
m
iu
ed
M
30. “This is trending on
steroids.”
-B/CISO, Banking
“I need flexible access
to my organization’s
deep hierarchy.”
-S/CISO, Big Oil
“I need to subdivide my
categories.”
-Senior Security
Architect, Healthcare
31. “That was a great chart if that
was consistently what I could
show senior leadership.”
-B/CISO, Retail
“Don't use Red/Amber/Green.
Establish your risk tolerance
and either you're compliant or
you're not.”
-VP, Compliance
“I see a lot of benefits… it’s giving
my execs access to see this data
real time for themselves.”
-T/CISO, Tech
SANS 3 Performance for Business-Critical Assets
32. SANS Controls
Security
Business
Intelligence
Summary
Across Business Context
SANS 1&2: Asset Inventory
SANS 3: SCM/CA
SANS 4: VA
SANS 5: Malware
Aggregated/Weighted
Operational Reports
• Objective
• Factual
• Trustworthy
• Consistent
• Understandable
• Actionable (or
demonstrated
actions taken)
• Business Context
Editor's Notes
And this is just for fun. Sorry if you aren’t into Star Trek the Next Generation. This certainly underscores that when you don’t have business context (such as the context for the mission - ) you can’t relate. That’s how the c-suite might feel when they get ‘jargon’d’ and don’t really get the point.