Stuff my ciso says


Published on

Many CISOs come from more of a technical, rather than a business, background. However, we need to be able to communicate with Senior Management, business-area leaders and users who are usually not technologists. In this talk we will look at some of the common topics CISOs need to cover and discuss how to rephrase the messages to better reach a business-oriented audience. We will discuss: How to think about security risks in a way business personnel do; How to translate technical security topics into more business-friendly language, and; How to reach a broader audience with the information security message.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Check out my, with links to twitter feed and Security and Coffee blog.
  • HedleyLamarr
  • Sheriff Bart
  • Agent Smith
  • Morpheus
  • Mr. Han
  • Bruce Lee
  • Dr. No
  • Bond
  • Dr. Evil
  • Austin Powers
  • Darth Vader
  • Yoda – Together we work with business, on-time to finish, needed controls we will have.
  • Khan
  • Kirk
  • Colonel Klink
  • Colonel Hogan
  • Stuff my ciso says

    1. 1.
    2. 2. Security Isn’t Easy…We didn’t get into it for the…
    3. 3. The Challenge of Security Awareness Nobody cares about Security… Why? And how do we get their attention and support?
    4. 4. Issues• Security viewed as a negative• Avoidance v. “risk” – Delays – Cost – Extra work – “Gotchas”
    5. 5. It Can’t Be Just…
    6. 6. We need sensible controls…
    7. 7. … early in the process…
    8. 8. Bad CISO/Good CISO
    9. 9. GovernanceGovernance…We don’t needno stinkin’governance! Bad CISO
    10. 10. GovernanceDevelop a clearstrategy usingan industrystandardframework.
    11. 11. PolicyAll SecurityPolicy is thesame. I got Bad CISOmine from abook. “Hello Mr. Anderson”
    12. 12. PolicyPolicies arebased on solidprinciples, butadapted to fittheorganization. … and prophesies from the oracle
    13. 13. ComplianceWe write thepolicies. Wemake peoplesign an oath. Bad CISODone. Compliance and consequences policy
    14. 14. ComplianceWe must make(understandable)policies. We mustteach. We mustassess, measureand report.
    15. 15. AwarenessUsers will knowwhat they haveto do or beeliminated. Bad CISO
    16. 16. AwarenessUsers can talk toSecurity. Weteach. We answerquestions.
    17. 17. Senior ManagementI say whatthey want tohear.They’re not Bad CISOlisteninganyway.
    18. 18. Senior ManagementGive them the infothey need andthey will beengaged.
    19. 19. Projects and DevThey can pay menow or they canpay me later. Bad CISO
    20. 20. Projects and DevWe work togetherwith business tofinish on-time andwith neededcontrols.
    21. 21. Business NeedsI buy the bestknown securityproductsbecause they’ve Bad CISOgot to be good.
    22. 22. Business NeedWorking togetherwe find control-and cost-effectivesecurity productsthat work and areusable.
    23. 23. OperationsWe’ve always doneit this way. Bad CISO
    24. 24. OperationsWe partner withthe business andtailor the programto meet the need.
    25. 25. Stuff I Say…KISS
    26. 26. Stuff I Say…No one has “read andunderstood”but definitely still responsibleSimple, direct language in policyCompliance via education
    27. 27. Stuff I Say…You pay by the wordKeep policies short and sweetIf not, you’ll pay on the compliance-effort side
    28. 28. Stuff I Say…People want to do the rightthingbut what is the right thing?Understandable policySimple rules
    29. 29. Stuff I Say…Do What Makes SenseRisk Management approachSeek out and destroy meaningless policy/controls/practices
    30. 30. Stuff I Say…Iterative ImprovementMaturity modelCObIT, SEI CMMI
    31. 31. Stuff I Say…Automation!MetricsToolsReporting
    32. 32. Stuff I Say…What is the business need?Find out business need in plain business language
    33. 33. Stuff I Say…Have Fun!
    34. 34. Discussion…Slides at, @bcaplin, +barry caplin