SlideShare a Scribd company logo

Cyber security framework

Yann Lecourt
Yann Lecourt

Building on 3 years of research interviews.

Software
1 of 14
Download to read offline
© 2015 IBM Corporation From checkboxes to frameworks CISO insights on moving from compliance to risk-based cybersecurity programs October 2015
© 2015 IBM Corporation The CISO Assessments have chronicled critical and emerging issues for security leaders while also identifying leading practices to pursue 2 2012 2013 2014 Finding a strategic voice A new standard for security leaders Fortifying for the future Established three archetypes for security leaders – the Responder, the Protector, and the Influencer – and explored their characteristics. Identified practical steps for security leaders to reach the position of Influencer – through business practices, technology, and measurement. Sought to define the next stage in the evolution of security leadership in order to provide recommendations for the future.
© 2015 IBM Corporation About this report This IBM Center for Applied Insights report is based on “Identifying How Firms Manage Cybersecurity Investment,” an IBM-sponsored study by the Darwin Deason Institute for Cyber Security, part of the Lyle School of Engineering at Southern Methodist University in Dallas, Texas. In-depth interviews were conducted in a semi-structured approach to explore top cybersecurity risks, how risks are determined, organizational support for cybersecurity initiatives and how investments are prioritized. In 2015, we took a closer look at how CISOs develop cybersecurity strategy and prioritize security investments •  Cybersecurity risk is a top C-suite priority with funding for security efforts growing to reflect the gravity of the challenge •  Historically, cybersecurity investment decisions were commonly based on the “checkbox” approach to meet compliance requirements •  Security leaders are now transforming their programs to be risk-based by using customized frameworks to determine risks and prioritize security investments Security leaders interviewed by industry
© 2015 IBM Corporation Focusing on the “strategic” How do I transform a compliance-based security program into one focused on risk? Top challenges facing CISOs in transforming to a risk-based program Communicating priorities How can I best communicate risk to top management and manage expectations? Making cybersecurity strategy consumable Do I have the skills, resources and tools to implement the right controls for success?
© 2015 IBM Corporation CISOs are increasingly turning to frameworks as the strategic tool of choice to assess risk and prioritize threats Key elements of a cybersecurity program: Consider business priorities, assets, processes Document formal cybersecurity strategy, objectives and goals Evaluate and prioritize gaps in current vs desired state across risk management controls Build a plan to address, monitor and reassess the prioritized control gaps Define formal framework of risk management controls
© 2015 IBM Corporation Frameworks, past attacks on firms, and industry best practices rank as the top cybersecurity prioritization approaches to risk management
© 2015 IBM Corporation Customized frameworks help to move beyond compliance to risk- based strategy “Security  has  to  have  a  basis  to  argue  its   point  of  view  in  a  compelling  story  with   some  thought  behind  it,  rather  than  ‘I  want   to  get  these  things  because  it’s  the  next  cool   security  thing  that’s  out  there’.”     -­‐-­‐  CISO,  Retail   •  Traditional focus on security compliance doesn’t ensure organizations are best prepared for potential security breaches •  Frameworks provide a better basis for risk assessment to thoroughly and consistently assess security challenges and determine gaps •  Companies developing their own cyber-risk frameworks are more likely to have a deeper understanding of the real risks to their organizations
© 2015 IBM Corporation Frameworks help increase collaboration with the C-suite to communicate priorities •  Frameworks are an effective communication tool for CISOs to relay cybersecurity strategy to upper management for buy-in •  85% of CISOs reported that upper-management support for cybersecurity efforts has increased •  88% of CISOs reported that their security budgets have increased •  25% of CISOs surveyed who thought they were spending appropriately also used frameworks as a strategic tool “Senior  leadership  is  looking  for  me  to   articulate  what  the  security  strategy  is  in   words,  in  projects,  and  in  dollars  that  make   sense  to  them.”     -­‐-­‐  CISO,  Retail    
© 2015 IBM Corporation Frameworks provide guidance to move from cybersecurity strategy to implementation “The  key  is  the  ability  to  develop  a  new  skill   set  where  people  can  adapt  to  changing   environments  versus  teaching  state-­‐of-­‐the-­‐ art  routines  in  cybersecurity.”     -­‐-­‐  Associate  Professor  of  Managed   Information  Security,  United  States   •  Perceived “risk reduction” and “compliance” still top the list to ensure that baseline security objectives are met •  The talent shortage has led many CISOs to look externally to supplement skills and resources •  CISOs rely on peer networks, third-party information and third-party threat intelligence data
© 2015 IBM Corporation To combat the talent shortage, security leaders and academic institutions can take a collaborative approach to skills development •  Train students to be facilitators between technology and business by integrating business components into technical curriculum and vice versa •  Create holistic curriculum that mimics real-world conditions and the challenges of security leaders •  Produce versatile experts who use predictive and behavioral analytics to understand and stay ahead of attacks “Cybersecurity  has  evolved,  and  the   education  has  evolved  correspondingly.  It’s   moved  from  being  primarily  technical  and   hands-­‐on  to  incorporating  more   management,  leadership  and  policy.”   -­‐-­‐  Director,  Managed  Security  Information   Program,  United  States   Source: Shaping security problem solvers: Academic insights to fortify for the future, IBM Center for Applied Insights, 2015
© 2015 IBM Corporation While compliance continues to be a big focus, frameworks are helping to drive investments in risk reduction
© 2015 IBM Corporation Key takeaways for developing risk-based cybersecurity programs Move beyond compliance to risk- based strategy Customize frameworks to enable strategic assessment of the real risks to the organization, highlighting cybersecurity priorities. Increase collaboration with the C-Suite Use frameworks as an effective communications tool to relay cybersecurity strategy in a more consumable way to stakeholders for buy-in. Apply framework- driven cybersecurity insights Engage the right skills, third- party intelligence and industry best practices to implement the guidance derived from frameworks.
© 2015 IBM Corporation
© 2015 IBM Corporation14 © Copyright IBM Corporation 2015 IBM Corporation New Orchard Road Armonk, NY 10504 Produced in the United States of America December 2014 IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. The findings described in this report are not to be construed as an endorsement by the Darwin Deason Institute for Cyber Security at SMU. The Darwin Deason Institute for Cyber Security neither agrees nor disagrees with the opinions provided in this report.

Recommended

Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voiceIBM India Smarter Computing
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworksAndréanne Clarke
 
ciso-platform-annual-summit-2013-ciso assessment exec summary _ibm
ciso-platform-annual-summit-2013-ciso assessment exec summary _ibmciso-platform-annual-summit-2013-ciso assessment exec summary _ibm
ciso-platform-annual-summit-2013-ciso assessment exec summary _ibmPriyanka Aash
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldnooralmousa
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionTripwire
 
Claranetpresentation
ClaranetpresentationClaranetpresentation
Claranetpresentationdes.ward
 
Hp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperHp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperrickkaun
 

Recommended

Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voiceIBM India Smarter Computing
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworksAndréanne Clarke
 
ciso-platform-annual-summit-2013-ciso assessment exec summary _ibm
ciso-platform-annual-summit-2013-ciso assessment exec summary _ibmciso-platform-annual-summit-2013-ciso assessment exec summary _ibm
ciso-platform-annual-summit-2013-ciso assessment exec summary _ibmPriyanka Aash
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldnooralmousa
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionTripwire
 
Claranetpresentation
ClaranetpresentationClaranetpresentation
Claranetpresentationdes.ward
 
Hp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperHp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperrickkaun
 
StateOfSecOps - Final - Published
StateOfSecOps - Final - PublishedStateOfSecOps - Final - Published
StateOfSecOps - Final - PublishedJames Blake
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarFERMA
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10David X Martin
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016Ben Browning
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityShareDocView.com
 
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Fortifying for the future: Insights from the 2014 IBM Chief Information Secur...
Fortifying for the future: Insights from the 2014 IBM Chief Information Secur...Fortifying for the future: Insights from the 2014 IBM Chief Information Secur...
Fortifying for the future: Insights from the 2014 IBM Chief Information Secur...IBM Center for Applied Insights
 
Cyber Security Infographic
Cyber Security InfographicCyber Security Infographic
Cyber Security InfographicBooz Allen Hamilton
 
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseData security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseThe Economist Media Businesses
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-MaligecChristine Maligec, CRM-E, CRIS
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Ciso organizational priorities to build a resilient bimodal it
Ciso organizational priorities to build a resilient bimodal itCiso organizational priorities to build a resilient bimodal it
Ciso organizational priorities to build a resilient bimodal itChandra Sekhar Tondepu
 
SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...
SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...
SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...poore120
 
The meaning of security in the 21st century
The meaning of security in the 21st centuryThe meaning of security in the 21st century
The meaning of security in the 21st centuryThe Economist Media Businesses
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0Vincent Toms
 
CISOSHARE's approach to designing effective cyber security programs
CISOSHARE's approach to designing effective cyber security programsCISOSHARE's approach to designing effective cyber security programs
CISOSHARE's approach to designing effective cyber security programsCISOSHARE
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should KnowIBM Security
 
IT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leadersIT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leadersCisco Mobility
 

More Related Content

What's hot

StateOfSecOps - Final - Published
StateOfSecOps - Final - PublishedStateOfSecOps - Final - Published
StateOfSecOps - Final - PublishedJames Blake
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarFERMA
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10David X Martin
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016Ben Browning
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityShareDocView.com
 
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Fortifying for the future: Insights from the 2014 IBM Chief Information Secur...
Fortifying for the future: Insights from the 2014 IBM Chief Information Secur...Fortifying for the future: Insights from the 2014 IBM Chief Information Secur...
Fortifying for the future: Insights from the 2014 IBM Chief Information Secur...IBM Center for Applied Insights
 
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseData security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseThe Economist Media Businesses
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Ciso organizational priorities to build a resilient bimodal it
Ciso organizational priorities to build a resilient bimodal itCiso organizational priorities to build a resilient bimodal it
Ciso organizational priorities to build a resilient bimodal itChandra Sekhar Tondepu
 
SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...
SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...
SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...poore120
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0Vincent Toms
 

What's hot (19)

StateOfSecOps - Final - Published
StateOfSecOps - Final - PublishedStateOfSecOps - Final - Published
StateOfSecOps - Final - Published
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk Webinar
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for Cybersecurity
 
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
Fortifying for the future: Insights from the 2014 IBM Chief Information Secur...
Fortifying for the future: Insights from the 2014 IBM Chief Information Secur...Fortifying for the future: Insights from the 2014 IBM Chief Information Secur...
Fortifying for the future: Insights from the 2014 IBM Chief Information Secur...
 
Cyber Security Infographic
Cyber Security InfographicCyber Security Infographic
Cyber Security Infographic
 
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseData security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Ciso organizational priorities to build a resilient bimodal it
Ciso organizational priorities to build a resilient bimodal itCiso organizational priorities to build a resilient bimodal it
Ciso organizational priorities to build a resilient bimodal it
 
SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...
SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...
SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...
 
The meaning of security in the 21st century
The meaning of security in the 21st centuryThe meaning of security in the 21st century
The meaning of security in the 21st century
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0
 

Similar to Cyber security framework

CISOSHARE's approach to designing effective cyber security programs
CISOSHARE's approach to designing effective cyber security programsCISOSHARE's approach to designing effective cyber security programs
CISOSHARE's approach to designing effective cyber security programsCISOSHARE
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should KnowIBM Security
 
IT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leadersIT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leadersCisco Mobility
 
Deliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecurityDeliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecuritySPLICE Software
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'aFahmi Albaheth
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadsavassociates1
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainSanjay Chadha, CPA, CA
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Laura Benitez
 
Does title make a difference?
Does title make a difference?Does title make a difference?
Does title make a difference?Pete Nieminen
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Accounting_Whitepapers
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessAyham Kochaji
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber securityWGroup
 
Cyber Threat Intelligence: Transforming Data into Relevant Intelligence
Cyber Threat Intelligence: Transforming Data into Relevant IntelligenceCyber Threat Intelligence: Transforming Data into Relevant Intelligence
Cyber Threat Intelligence: Transforming Data into Relevant IntelligenceEnterprise Management Associates
 
Secure Coding Practices – Growing Success or Zero-Day Epidemic?
Secure Coding Practices – Growing Success or Zero-Day Epidemic?Secure Coding Practices – Growing Success or Zero-Day Epidemic?
Secure Coding Practices – Growing Success or Zero-Day Epidemic?Enterprise Management Associates
 

Similar to Cyber security framework (20)

CISOSHARE's approach to designing effective cyber security programs
CISOSHARE's approach to designing effective cyber security programsCISOSHARE's approach to designing effective cyber security programs
CISOSHARE's approach to designing effective cyber security programs
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know
 
IT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leadersIT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leaders
 
Deliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecurityDeliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data Security
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor upload
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chain
 
Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Strategic Cybersecurity
Strategic CybersecurityStrategic Cybersecurity
Strategic Cybersecurity
 
Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...
 
Does title make a difference?
Does title make a difference?Does title make a difference?
Does title make a difference?
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
 
Cyber Threat Intelligence: Transforming Data into Relevant Intelligence
Cyber Threat Intelligence: Transforming Data into Relevant IntelligenceCyber Threat Intelligence: Transforming Data into Relevant Intelligence
Cyber Threat Intelligence: Transforming Data into Relevant Intelligence
 
Secure Coding Practices – Growing Success or Zero-Day Epidemic?
Secure Coding Practices – Growing Success or Zero-Day Epidemic?Secure Coding Practices – Growing Success or Zero-Day Epidemic?
Secure Coding Practices – Growing Success or Zero-Day Epidemic?
 

More from Yann Lecourt

Blockchain singularities
Blockchain singularitiesBlockchain singularities
Blockchain singularitiesYann Lecourt
 
The cognitive advantage
The cognitive advantageThe cognitive advantage
The cognitive advantageYann Lecourt
 
Ibm watson analytics for social media
Ibm watson analytics for social mediaIbm watson analytics for social media
Ibm watson analytics for social mediaYann Lecourt
 
Deliver on your innovation goals with ibm bluemix
Deliver on your innovation goals with ibm bluemixDeliver on your innovation goals with ibm bluemix
Deliver on your innovation goals with ibm bluemixYann Lecourt
 
What's new in ibm notes and ibm domino v1
What's new in ibm notes and ibm domino v1What's new in ibm notes and ibm domino v1
What's new in ibm notes and ibm domino v1Yann Lecourt
 
Cognitive business
Cognitive businessCognitive business
Cognitive businessYann Lecourt
 
Becoming an insight driven organization
Becoming an insight driven organizationBecoming an insight driven organization
Becoming an insight driven organizationYann Lecourt
 
Cmo survey - deloitte
Cmo survey - deloitteCmo survey - deloitte
Cmo survey - deloitteYann Lecourt
 
Windows shell integration advanced
Windows shell integration advancedWindows shell integration advanced
Windows shell integration advancedYann Lecourt
 
Analytics trends 2016 the next evolution
Analytics trends 2016 the next evolutionAnalytics trends 2016 the next evolution
Analytics trends 2016 the next evolutionYann Lecourt
 
Analytics cybersecurity-predictions-2016
Analytics cybersecurity-predictions-2016Analytics cybersecurity-predictions-2016
Analytics cybersecurity-predictions-2016Yann Lecourt
 
Cognitive computing insurance
Cognitive computing insuranceCognitive computing insurance
Cognitive computing insuranceYann Lecourt
 
Data science capabilities
Data science capabilitiesData science capabilities
Data science capabilitiesYann Lecourt
 
Capturing hearts mind and markets
Capturing hearts mind and marketsCapturing hearts mind and markets
Capturing hearts mind and marketsYann Lecourt
 
Your cognitive future insurances
Your cognitive future insurancesYour cognitive future insurances
Your cognitive future insurancesYann Lecourt
 

More from Yann Lecourt (16)

Blockchain singularities
Blockchain singularitiesBlockchain singularities
Blockchain singularities
 
The cognitive advantage
The cognitive advantageThe cognitive advantage
The cognitive advantage
 
Ibm watson analytics for social media
Ibm watson analytics for social mediaIbm watson analytics for social media
Ibm watson analytics for social media
 
Deliver on your innovation goals with ibm bluemix
Deliver on your innovation goals with ibm bluemixDeliver on your innovation goals with ibm bluemix
Deliver on your innovation goals with ibm bluemix
 
What's new in ibm notes and ibm domino v1
What's new in ibm notes and ibm domino v1What's new in ibm notes and ibm domino v1
What's new in ibm notes and ibm domino v1
 
Cognitive business
Cognitive businessCognitive business
Cognitive business
 
Becoming an insight driven organization
Becoming an insight driven organizationBecoming an insight driven organization
Becoming an insight driven organization
 
Cmo survey - deloitte
Cmo survey - deloitteCmo survey - deloitte
Cmo survey - deloitte
 
Windows shell integration advanced
Windows shell integration advancedWindows shell integration advanced
Windows shell integration advanced
 
Analytics trends 2016 the next evolution
Analytics trends 2016 the next evolutionAnalytics trends 2016 the next evolution
Analytics trends 2016 the next evolution
 
Analytics cybersecurity-predictions-2016
Analytics cybersecurity-predictions-2016Analytics cybersecurity-predictions-2016
Analytics cybersecurity-predictions-2016
 
Cognitive computing insurance
Cognitive computing insuranceCognitive computing insurance
Cognitive computing insurance
 
Data science capabilities
Data science capabilitiesData science capabilities
Data science capabilities
 
Ibm energy
Ibm energyIbm energy
Ibm energy
 
Capturing hearts mind and markets
Capturing hearts mind and marketsCapturing hearts mind and markets
Capturing hearts mind and markets
 
Your cognitive future insurances
Your cognitive future insurancesYour cognitive future insurances
Your cognitive future insurances
 

Recently uploaded

software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxnada99848
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 

Recently uploaded (20)

software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptx
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 

Cyber security framework

  • 1. © 2015 IBM Corporation From checkboxes to frameworks CISO insights on moving from compliance to risk-based cybersecurity programs October 2015
  • 2. © 2015 IBM Corporation The CISO Assessments have chronicled critical and emerging issues for security leaders while also identifying leading practices to pursue 2 2012 2013 2014 Finding a strategic voice A new standard for security leaders Fortifying for the future Established three archetypes for security leaders – the Responder, the Protector, and the Influencer – and explored their characteristics. Identified practical steps for security leaders to reach the position of Influencer – through business practices, technology, and measurement. Sought to define the next stage in the evolution of security leadership in order to provide recommendations for the future.
  • 3. © 2015 IBM Corporation About this report This IBM Center for Applied Insights report is based on “Identifying How Firms Manage Cybersecurity Investment,” an IBM-sponsored study by the Darwin Deason Institute for Cyber Security, part of the Lyle School of Engineering at Southern Methodist University in Dallas, Texas. In-depth interviews were conducted in a semi-structured approach to explore top cybersecurity risks, how risks are determined, organizational support for cybersecurity initiatives and how investments are prioritized. In 2015, we took a closer look at how CISOs develop cybersecurity strategy and prioritize security investments •  Cybersecurity risk is a top C-suite priority with funding for security efforts growing to reflect the gravity of the challenge •  Historically, cybersecurity investment decisions were commonly based on the “checkbox” approach to meet compliance requirements •  Security leaders are now transforming their programs to be risk-based by using customized frameworks to determine risks and prioritize security investments Security leaders interviewed by industry
  • 4. © 2015 IBM Corporation Focusing on the “strategic” How do I transform a compliance-based security program into one focused on risk? Top challenges facing CISOs in transforming to a risk-based program Communicating priorities How can I best communicate risk to top management and manage expectations? Making cybersecurity strategy consumable Do I have the skills, resources and tools to implement the right controls for success?
  • 5. © 2015 IBM Corporation CISOs are increasingly turning to frameworks as the strategic tool of choice to assess risk and prioritize threats Key elements of a cybersecurity program: Consider business priorities, assets, processes Document formal cybersecurity strategy, objectives and goals Evaluate and prioritize gaps in current vs desired state across risk management controls Build a plan to address, monitor and reassess the prioritized control gaps Define formal framework of risk management controls
  • 6. © 2015 IBM Corporation Frameworks, past attacks on firms, and industry best practices rank as the top cybersecurity prioritization approaches to risk management
  • 7. © 2015 IBM Corporation Customized frameworks help to move beyond compliance to risk- based strategy “Security  has  to  have  a  basis  to  argue  its   point  of  view  in  a  compelling  story  with   some  thought  behind  it,  rather  than  ‘I  want   to  get  these  things  because  it’s  the  next  cool   security  thing  that’s  out  there’.”     -­‐-­‐  CISO,  Retail   •  Traditional focus on security compliance doesn’t ensure organizations are best prepared for potential security breaches •  Frameworks provide a better basis for risk assessment to thoroughly and consistently assess security challenges and determine gaps •  Companies developing their own cyber-risk frameworks are more likely to have a deeper understanding of the real risks to their organizations
  • 8. © 2015 IBM Corporation Frameworks help increase collaboration with the C-suite to communicate priorities •  Frameworks are an effective communication tool for CISOs to relay cybersecurity strategy to upper management for buy-in •  85% of CISOs reported that upper-management support for cybersecurity efforts has increased •  88% of CISOs reported that their security budgets have increased •  25% of CISOs surveyed who thought they were spending appropriately also used frameworks as a strategic tool “Senior  leadership  is  looking  for  me  to   articulate  what  the  security  strategy  is  in   words,  in  projects,  and  in  dollars  that  make   sense  to  them.”     -­‐-­‐  CISO,  Retail    
  • 9. © 2015 IBM Corporation Frameworks provide guidance to move from cybersecurity strategy to implementation “The  key  is  the  ability  to  develop  a  new  skill   set  where  people  can  adapt  to  changing   environments  versus  teaching  state-­‐of-­‐the-­‐ art  routines  in  cybersecurity.”     -­‐-­‐  Associate  Professor  of  Managed   Information  Security,  United  States   •  Perceived “risk reduction” and “compliance” still top the list to ensure that baseline security objectives are met •  The talent shortage has led many CISOs to look externally to supplement skills and resources •  CISOs rely on peer networks, third-party information and third-party threat intelligence data
  • 10. © 2015 IBM Corporation To combat the talent shortage, security leaders and academic institutions can take a collaborative approach to skills development •  Train students to be facilitators between technology and business by integrating business components into technical curriculum and vice versa •  Create holistic curriculum that mimics real-world conditions and the challenges of security leaders •  Produce versatile experts who use predictive and behavioral analytics to understand and stay ahead of attacks “Cybersecurity  has  evolved,  and  the   education  has  evolved  correspondingly.  It’s   moved  from  being  primarily  technical  and   hands-­‐on  to  incorporating  more   management,  leadership  and  policy.”   -­‐-­‐  Director,  Managed  Security  Information   Program,  United  States   Source: Shaping security problem solvers: Academic insights to fortify for the future, IBM Center for Applied Insights, 2015
  • 11. © 2015 IBM Corporation While compliance continues to be a big focus, frameworks are helping to drive investments in risk reduction
  • 12. © 2015 IBM Corporation Key takeaways for developing risk-based cybersecurity programs Move beyond compliance to risk- based strategy Customize frameworks to enable strategic assessment of the real risks to the organization, highlighting cybersecurity priorities. Increase collaboration with the C-Suite Use frameworks as an effective communications tool to relay cybersecurity strategy in a more consumable way to stakeholders for buy-in. Apply framework- driven cybersecurity insights Engage the right skills, third- party intelligence and industry best practices to implement the guidance derived from frameworks.
  • 13. © 2015 IBM Corporation
  • 14. © 2015 IBM Corporation14 © Copyright IBM Corporation 2015 IBM Corporation New Orchard Road Armonk, NY 10504 Produced in the United States of America December 2014 IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. The findings described in this report are not to be construed as an endorsement by the Darwin Deason Institute for Cyber Security at SMU. The Darwin Deason Institute for Cyber Security neither agrees nor disagrees with the opinions provided in this report.