Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Gathering Storm

143 views

Published on

Presented at InnoTech San Antonio 2018. All rights reserved.

Published in: Technology
  • Login to see the comments

  • Be the first to like this

The Gathering Storm

  1. 1. The Gathering Storm THE CISO AS A TRANSFORMATIONAL LEADER
  2. 2. “If something cannot go on forever, it will stop.” - Herbert Stein, economist
  3. 3. Who Are We • Fred Ritch – Chief Operating Officer • Passion for making the complex simple • Career UX professional • Built user experience functions in several large organizations (IBM, Cisco, Dell) • Over 10 years experience in InfoSec • Shelly Carlin – Chief Executive Officer • C-Suite executive skilled at driving transformational change • 30+ years in finance and human resources • Former Chief HR Officer at Motorola • CEO,American Health Policy Institute
  4. 4. • Current state -The Rise of InfoSec • We’ve been here before – A cautionary tale • The CISO of the Future – Developing a business mindset • Preparing to Lead –What you can do now What we’ll cover
  5. 5. The Rise of InfoSec • Current InfoSec spending estimated at $100 billion, expected to double in the next 10 years • Explosion of products and solutions fueled by significant venture capital investments • InfoSec now one of the most important strategic challenges facing business
  6. 6. Back to the future? 2015 Ponemon Study 75% 41% 25% 59% 0% 10% 20% 30% 40% 50% 60% 70% 80% Today Future (3 years from now) Necessary cost Competitive Advantage Do your organization’s senior leadership view cybersecurity as a necessary cost or a competitive advantage? 34% 54% 66% 46% 0% 10% 20% 30% 40% 50% 60% 70% Today Future (3 years from now) Yes No or Unsure Does senior leadership view cybersecurity as a strategic priority ? 22% 66% 78% 34% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Today Future (3 years from now) Yes No or Unsure Does your organization’s security leader brief the board of directors on the cybersecurity strategy?
  7. 7. But…more money and greater visibility means people will ask: Where’s the money going?
  8. 8. The CFO Wants to Know • Finance professionals dislike “unmanaged” spend – especially when it’s growing rapidly • The CFO is accountable to the Board and shareholders – so he will intervene, eventually…and try to measure something he probably doesn’t understand “If something cannot go on forever, it will stop.” - Herbert Stein, economist
  9. 9. Cost of Employer-Sponsored Health Care $0 $100 $200 $300 $400 $500 $600 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 Billions EMPLOYER Contributions EMPLOYEE Contributions Private employers, 1997 - 2016
  10. 10. The current path is unsustainable • Accelerating spending that is not measured – and managed – is unsustainable • Pressure from the finance organization, the Board and regulators will result in the need to more clearly explain how money is being spent • The good news…we are at the early stage of the cost curve; history does not have to repeat Information Security professionals can transform our profession and create a sustainable foundation for the future.
  11. 11. The CISO of the Future A security professional with a business mindset and a collaborative approach to protecting against the threat of cyber crime, who creates business value by: • Aligning InfoSec investments to business priorities – recognizing all threats are not created equal • Measures the effectiveness of InfoSec activities in financial terms • Collaborates with the broader organization to lead an integrated response to the cyber threat
  12. 12. What is a Business Mindset? • When everything you do is intended to create competitive advantage for your company • There are two ways to create competitive advantage • Increase revenue • Reduce costs Everything you do must lead to higher revenue or lower costs – or why are you doing it?
  13. 13. How InfoSec Creates Strategic Advantage • Assess and Quantify Risk • Measure Financial Performance • Collaborate Across the Organization • Communicate Effectively
  14. 14. Assess and Quantify Risk • The CISO of the future will be skilled at assessing risk in the context of business strategies and quantifying it • The fundamental job of InfoSec is to help management determine the level of acceptable risk • Since risk must be assessed across the organization, it must be measured in the single common measure of business – dollars
  15. 15. Quantifying Risk • Since every business decision is about allocating scarce resources, all decisions must be stated in financial terms • The FAIR model is one approach to quantifying risk • Fundamental principles of FAIR • Risk – the probability that a loss will happen and the magnitude ($) of that loss • Measurement is not precision – it is the reduction of uncertainty • Probability v. Possibility – a world of difference • Forecasts are not predictions
  16. 16. Measure Financial Performance • The CISO of the future will be charged with both fighting the war and getting smarter in funding the war against cyber crime • Instead of fighting budget battles, understand how resource allocation decisions are made – it’s about risk v. return • Invest in controls in a way that reflects the risk profile of your business • Measure the operational and financial performance of your controls
  17. 17. How did your controls perform – financially? • Measuring how well your controls (tools, processes) prevented or identified an attack is only part of the story • Senior executives measure performance relative to the cost of delivering that performance • Once you align your InfoSec spending to the company’s most critical risks, you need to measure how well those controls performed – taking into account the amount invested in them
  18. 18. Measuring InfoSec ROI COST of control failure offset by SAVINGS from control success Net Benefit (Cost)= RETURN on INVESTMENT = INVESTMENT in the control
  19. 19. COST of control failure offset by SAVINGS from control success Actual cost of any breaches experienced during the period “Noise” – actual cost of investigating false positives generated by the control plus Measuring InfoSec ROI
  20. 20. Measuring InfoSec ROI COST of control failure offset by SAVINGS from control success Estimated average cost of a breach Probability of that a breach will occur and result in financial loss multiplied by
  21. 21. Measuring InfoSec ROI COST of control failure offset by SAVINGS from control success Net Benefit (Cost)= INVESTMENT in the control Fixed cost of the control
  22. 22. Measuring InfoSec ROI COST of control failure offset by SAVINGS from control success Net Benefit (Cost)= RETURN on INVESTMENT = INVESTMENT in the control
  23. 23. Collaborate Across the Organization • The CISO of the future will work across organizations and functions to lead an integrated response to the strategic threat posed by cyber crime • Collaboration means aligning across the organization with a common goal in mind – maximizing the performance of the business Collaboration is hard. It requires the ability to listen with the intent to understand. And a commitment to a larger, common goal.
  24. 24. Communicate Effectively • The CISO of the future will effectively translate threats, risks and opportunities into actionable information for executives and Boards of Directors • Communicating effectively is the result of a business-oriented approach to InfoSec • Business-driven assessment and quantification of risk • An integrated risk management plan with broad organizational support • A disciplined method to measure both the operational and financial performance of the company’s InfoSec investment
  25. 25. Key Takeaways • Accelerated unmeasured spending is unsustainable • We’ve been here before – healthcare • InfoSec professionals are key to leading the transformation
  26. 26. Preparing to Lead • It’s a choice – agree or not – but think about it • What you can do • Think differently about risk (FAIR is a good start) • Go beyond budget battles and measure the financial performance of your initiatives • Understand your peers in business and finance; how can you contribute to their success? How can they help you? • Communicate with a business mindset
  27. 27. Thank You! ShellyCarlin shelly.carlin@cambioanalytics.com Fred Ritch fred.ritch@cambioanalytics.com

×